These scripts automate managing (create, update, get, delete) Power Platform Enterprise Policies as Azure resources.
In addition, we are providing sample scripts on how to associate these policies with Power Platform environments.
Please note that these scripts are provided under MIT license and its usage is the sole responsibility of the user.
-
Install modules script : This script installs the required modules to run Enterprise Policies scripts.
Script name: InstallPowerAppsCmdlets.ps1- Run the script to import required PowerShell modules.
-
Setup Azure subscription for Microsoft.PowerPlatform : This script registers the Azure subscription for Microsoft.PowerPlatform resource provider and also allow lists the subscription for enterprisePoliciesPreview feature.
Script name: SetupSubscriptionForPowerPlatform.ps1- Run the script to setup Azure subscription for Microsoft.PowerPlatform resources
The CMK scripts are present in folder Cmk at current location
- Create CMK Enterprise Policy : This script creates a CMK enterprise policy
Script name : CreateCMKEnterprisePolicy.ps1
Input parameters :- subscriptionId : The subscriptionId where CMK enterprise policy needs to be created
- resourceGroup : The resource group where CMK enterprise policy needs to be created
- enterprisePolicyName : The name of the CMK enterprise policy resource
- enterprisePolicyLocation : The Azure geo where CMK enterprise policy needs to be created. Example: unitedstates, europe, australia.
To get the complete supported locations for enterprise policy, below command can be used:
((Get-AzResourceProvider -ProviderNamespace Microsoft.PowerPlatform).ResourceTypes | Where-Object ResourceTypeName -eq enterprisePolicies).Locations - keyVaultId : The ARM resource ID of the key vault used for CMK
- keyName : The name of the key in the key vault used for CMK
- keyVersion: The version of the key in the key vault used for CMK
Sample Input :
Sample Output :
- Get CMK Enterprise Policy By ResourceId : The script gets a CMK enterprise policy by ARM resourceId
Script name : GetCMKEnterprisePolicyByResourceId.ps1
Input parameter :- enterprisePolicyArmId : The ARM resource ID of the CMK Enterprise Policy
Sample Input :
Sample Output :
- Get CMK Enterprise Policies in Subscription : The script gets all CMK enterprise policies in an Azure subscription
Script name : GetCMKEnterprisePoliciesInSubscription.ps1
Input parameter :- subscriptionId: : The Azure subscription Id
Sample Input :
Sample Output :
- Get CMK Enterprise Policies in Resource Group : The script gets all CMK enterprise policies in an Azure resource group
Script name : GetCMKEnterprisePoliciesInResourceGroup.ps1
Input parameters :- subscriptionId : The Azure subscription Id
- resourceGroup : The Azure resource group
Sample Input :
Sample Output :
- Validate Azure Key Vault : This script checks if the Key Vault is setup correctly according to the pre-requisites required by the Power Platform CMK Enterprise Policy. For details please follow the setup instructions at https://learn.microsoft.com/power-platform/admin/customer-managed-key#create-encryption-key-and-grant-access
Following major validations are performed:- Soft-delete is enabled for key vault: Please follow the instructions at
https://learn.microsoft.com/azure/key-vault/general/soft-delete-change to update the soft delete property. - Purge protection is enabled for key vault: Please follow the istructions at
https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery?tabs=azure-portal to get details about enabling Purge Protection - "Key Vault Crypto Service Encryption User" role assignment is present for the given enterprise policy if key vault permission model is Azure role based access control.
- Access policies of GET, UNWRAPKEY, WRAPKEY are added to the key vault for the given enterprise policy if key vault permission model is vault access policy.
- Key configured for the given enterprise policy is present, enabled, activated and not expired.
- Soft-delete is enabled for key vault: Please follow the instructions at
Script name : ValidateKeyVaultForCMK.ps1
Input parameters:
- subscriptionId : The Azure subscription Id of the Key Vault
- keyVaultName : The name of the key Vault
- enterprisePolicyArmId : The CMK enterprise policy ARM Id
Sample Input :
Sample Output :
- Update CMK Enterprise Policy : This script updates a CMK Enterprise Policy. The updates allowed are for keyVaultId, keyName, keyVersion.
If you are changing only some of the allowed parameter values, provide “N/A” when prompted for the parameters that you don’t want to change.
If the enterprise policy is associated with one or more environments, the update operation will fail, and the script will return an error.
Script name : UpdateCMKEnterprisePolicy.ps1
Input parameters :- subscriptionId : The Azure subscription Id of the CMK Enterprise Policy
- resourceGroup : The Azure resource group of the CMK Enterprise Policy
- enterprisePolicyName : The name of the CMK enterprise policy that needs to be updated
- keyVaultId : The ARM resource ID of the key vault if it needs to be updated. Provide "N/A" if update is not required for key vault Id
- keyName: The name of the key if it needs to be updated. Provide "N/A" if update is not required for name of the key
- keyVersion: The version of the key if it needs to be updated. Provide "N/A" if update is not required for version of the key
Sample Input :
Sample Output :
- Delete CMK Enterprise Policy : This script deletes the CMK Enterprise Policy for a given policy Id.
If the CMK enterprise policy is associated with one or more environments, the delete operation will fail, and the script will return an error.
Script name : RemoveCMKEnterprisePolicy.ps1
Input parameter :- policyArmId : The ARM ID of the CMK enterprise policy to be deleted
Sample Input :
Sample Output :
- Set CMK for an environment : This script applies a CMK enterprise policy to a given Power Platform environment.
The script adds the environment to the enterprise policy and optionally polls for the operation outcome.
Script name : AddCustomerManagedKeyToEnvironment.ps1
Input parameters :- environmentId : The Power Platform environment ID
- policyArmId : The ARM ID of the CMK Enterprise Policy
Sample Input :
Sample Output :
- Get CMK for an environment : This script returns the CMK enterprise policy if applied to a given Power Platform environment.
Script name : GetCMKEnterprisePolicyForEnvironment.ps1
Input parameter :- environmentId : The Power Platform environment ID
Sample Input :
Sample Output :
- Remove CMK from an environment : The script removes the CMK enterprise policy from an environment,
which results on data to be encrypted with a Microsoft managed encryption key.
Script name : RemoveCustomerManagedKeyFromEnvironment.ps1
Input parameters :- environmentId : The Power Platform environment ID
- policyArmId: The ARM ID of the CMK Enterprise Policy
Sample Input :
Sample Output :
The Subnet Injection scripts are present in folder SubnetInjection at current location
This script adds the subnet delegation for Microsoft.PowerPlatform/enterprisePolicies Azure service to a given virtual network and subnet
Script name : SetupVnetForSubnetDelegation.ps1
Input parameters :
- virtualNetworkSubscriptionId : The subscriptionId of the virtual network
- resourceGroupName : The resource group of the virtual network
- virtualNetworkName : The name of the virtual network
- subnetName : The name of the virtual network's subnet
NOTE: this can also be achieved through Azure portal, more documentation on subnet delegation here
Sample Input :
Sample Output :
This script creates a Subnet Injection enterprise policy
Script name : CreateSubnetInjectionEnterprisePolicy.ps1
Input parameters :
- subscriptionId : The subscriptionId where Subnet Injection enterprise policy needs to be created
- resourceGroup : The resource group where Subnet Injection enterprise policy needs to be created
- enterprisePolicyName : Designate a name for the Subnet Injection enterprise policy
- enterprisePolicyLocation : The Azure geo where Subnet Injection enterprise policy needs to be created.
- Example: unitedstates, europe, australia, uk
- To get the complete list of supported geos for enterprise policy, use the following command:
((Get-AzResourceProvider -ProviderNamespace Microsoft.PowerPlatform).ResourceTypes | Where-Object ResourceTypeName -eq enterprisePolicies).Locations
- Example: unitedstates, europe, australia, uk
- primaryVnetId : The ARM resource ID of the primary virtual network to be used for Subnet Injection
- primarySubnetName : The name of the subnet in the primary virtual network to be used for Subnet Injection
- secondaryVnetId : The ARM resource ID of the secondary virtual network to be used for Subnet Injection
- can put
N/Afor geo's with only 1 supported region, must be provided for geos with 2+ supported regions
- can put
- secondarySubnetName : The name of the subnet in the secondary virtual network to be used for Subnet Injection
- can put
N/Afor geo's with only 1 supported region, must be provided for geos with 2+ supported regions
- can put
NOTE:
- ❗ If there are more than 1 supported regions for the geo outlined in the list of supported regions, the primary and secondary VNet must have been created in different regions in the geo
- ❗ To delete a Subnet Injection enterprise policy:
- "Remove Subnet Injection from an environment" for ALL associated environments, the following remove command should error and call out if there are environments still associated
- Run the following command (see the "Get Subnet Injection Enterprise Policy" scripts if needed to find the ARM Resource ID):
Remove-AzResource -ResourceId $policyArmId -Force
Sample Input :
Sample Output :
This script gets a Subnet Injection enterprise policy by ARM resourceId
Script name : GetSubnetInjectionEnterprisePolicyByResourceId.ps1
Input parameter :
- enterprisePolicyArmId : The ARM resource ID of the Subnet Injection Enterprise Policy
Sample Input :
Sample Output :
This script gets all Subnet Injection enterprise policies in an Azure subscription
Script name : GetSubnetInjectionEnterprisePoliciesInSubscription.ps1
Input parameter :
- subscriptionId: : The Azure subscription Id
Sample Input :
Sample Output :
This script gets all Subnet Injection enterprise policies in an Azure resource group
Script name : GetSubnetInjectionEnterprisePoliciesInResourceGroup.ps1
Input parameters :
- subscriptionId : The Azure subscription Id
- resourceGroup : The Azure resource group
Sample Input :
Sample Output :
This script updates a Subnet Injection Enterprise Policy. The updates allowed are for primary/secondary virtual network Id and/or primary/secondary subnet name.
If you are changing only some of the allowed parameter values, provide “N/A” when prompted for the parameters that you don’t want to change.
If the enterprise policy is associated with one or more environments, the update operation will fail, and the script will return an error.
Script name : UpdateSubnetInjectionEnterprisePolicy.ps1
Input parameters :
- subscriptionId : The Azure subscription Id of the Subnet Injection Enterprise Policy
- resourceGroup : The Azure resource group of the Subnet Injection Enterprise Policy
- enterprisePolicyName : The name of the Subnet Injection enterprise policy that needs to be updated
- primaryVnetId : The ARM resource ID of the primary virtual network if it needs to be updated. Provide "N/A" if update is not required for the primary virtual network Id
- primarySubnetName: The name of the subnet in the primary virtual network if it needs to be updated. Provide "N/A" if update is not required for name of the subnet in the primary virtual network
- secondaryVnetId : The ARM resource ID of the secondary virtual network if it needs to be updated. Provide "N/A" if update is not required for the secondary virtual network Id
- secondarySubnetName: The name of the subnet in the secondary virtual network if it needs to be updated. Provide "N/A" if update is not required for name of the subnet in the secondary virtual network
Sample Input :
Sample Output :
This script applies a Subnet Injection enterprise policy to a given Power Platform environment.
The script adds the environment to the enterprise policy and optionally polls for the operation outcome.
Script name : NewSubnetInjection.ps1
Input parameters :
- environmentId : The Power Platform environment ID
- policyArmId : The ARM ID of the Subnet Injection Enterprise Policy
Sample Input :
Sample Output :
This script returns the Subnet Injection enterprise policy if applied to a given Power Platform environment.
Script name : GetSubnetInjectionEnterprisePolicyForEnvironment.ps1
Input parameter :
- environmentId : The Power Platform environment ID
Sample Input :
Sample Output :
This script removes the Subnet Injection enterprise policy from an environment,
Script name : RevertSubnetInjection.ps1
Input parameters :
- environmentId : The Power Platform environment ID
- policyArmId: The ARM ID of the Subnet Injection Enterprise Policy
Sample Input :
Sample Output :
The diagnostic commands are designed to help troubleshoot issues with the VNET functionality provided by Power Platform. They can be run in both Windows PowerShell and PowerShell Core environments.
You can get the module in two different ways. Either through the PowerShell Gallery or by downloading the module from Github Releases. Both options provide the same functionality.
In a PowerShell session, run the following command the first time you open the PowerShell session:
Install-Module -Name Microsoft.PowerPlatform.EnterprisePolicies
Import-Module Microsoft.PowerPlatform.EnterprisePoliciesThis will import the module, validate prerequisites and make the functions available for use. If you are missing any prerequisites, the module will inform you and ask for permission to install them.
Go to the Releases page and download the latest release zip file. Extract the contents to a local directory.
Navigate to the extracted directory and run the following command the first time you open the PowerShell session:
Import-Module .\Microsoft.PowerPlatform.EnterprisePoliciesThis will import the module, validate prerequisites and make the commands available for use. If you are missing any prerequisites, the module will inform you and ask for permission to install them.
Once your module has been imported into your PowerShell session, you can now run the diagnostic functions as needed. For example, to run the Get-EnvironmentUsage function, you would use:
Get-EnvironmentUsage -EnvironmentId "your-environment-id"For a full list of available functions and their usage, you can refer to the help documentation by checking out the EnterprisePolicies Docs folder.
To get started with development, clone the repository and open it in VSCode. The scripts are written in PowerShell and follow standard PowerShell conventions.
Please place any common functions in the Private folder, and any module-level functions that are going to be exposed in the Public folder.
In order to run tests, please ensure you do the following from the repository root:
# You might need the --interactive flag
dotnet restoreNote
If you are not a Microsoft employee, you will need to modify the Nuget.config file to point to the public NuGet repository.
Then, you can enable running the tests by going to the Run and Debug view in VSCode and selecting and running the Load Modules script. This will load the necessary modules and allow you to run the tests.
Note
You should clear out any Pester installations, as the tests are written using the latest version of Pester.
- StatusCode: 404
- ErrorMessage contains: The environment '<guid>' could not be found in the tenant...
- Solution: Ensure the user has the
Power Platform Administrator(or equivalent) role
- ErrorCode:
InUseSubnetCannotBeDeletedorSubnetMissingRequiredDelegation - ErrorMessage contains: .../serviceAssociationLinks/PowerPlatformServiceLink...
- Solution: delete the Subnet Injection enterprise policy first, see the notes section in "Create subnet injection enterprise policy"
