Verified by Garnet Grid

Power Platform Center of Excellence: Setup Guide

Build a Power Platform CoE for governance, adoption, and developer enablement. Covers the CoE Starter Kit, DLP policies, environment strategy, monitoring, and citizen developer programs.

The Power Platform Center of Excellence (CoE) balances innovation with governance. Without it, citizen developers create ungoverned apps with hardcoded credentials, unmanaged data flows, and no backup strategy. With it, you get controlled self-service that empowers business users while protecting the enterprise.

Organizations without a CoE typically discover hundreds of ungoverned Power Apps and Power Automate flows within 12-18 months of Power Platform adoption. These apps often contain sensitive data, bypass security controls, and lack documentation or succession planning. The CoE provides visibility, guardrails, and a support structure that enables growth without chaos.

CoE Pillars

A well-functioning CoE rests on four pillars, each addressing a distinct organizational need:

PillarFocusOutcomeKey Activities
GovernancePolicies, DLP, environment controlRisk reduction, complianceDLP policy creation, connector management, environment hygiene
NurtureTraining, community, champions programAdoption growth, skill developmentTraining paths, hackathons, maker community forums
AdminMonitoring, inventory, complianceOperational control, cost managementResource inventory, orphaned app cleanup, license management
AutomationSelf-service, approval flows, ALMSpeed + control, consistencyEnvironment provisioning, solution deployment pipelines

Common CoE Anti-Patterns

Anti-PatternConsequencePrevention
Governance without enablementMakers bypass controls, shadow IT increasesPair every restriction with an approved alternative
No executive sponsorCoE treated as optional, ignored by business unitsSecure VP-level sponsor with budget authority
Overly restrictive DLPBusiness users abandon Power Platform entirelyStart permissive, tighten based on actual risks
No maker communityIsolated makers repeat mistakesWeekly office hours, Teams channel, monthly showcase
Manual governanceDoesn’t scale past 50 appsAutomate with CoE Starter Kit from day one

Environment Strategy

Environment design is the foundation of Power Platform governance. Poor environment strategy leads to data leakage, permission conflicts, and compliance violations.

Power Platform Environments
├── Default (restricted — DLP blocks everything except SharePoint + Office 365)
│   └── Why: All users land here. Lock it down to prevent ungoverned apps.
├── Developer Environments (per-developer sandboxes)
│   └── Why: Personal experimentation without affecting shared environments.
├── Shared Dev/Test (team collaboration)
│   └── Why: Build and test solutions collaboratively before promotion.
├── UAT (pre-production validation)
│   └── Why: Business stakeholder testing with production-like data.
├── Production (governed, change-managed)
│   └── Why: End-user facing. All changes go through ALM pipelines.
└── ALM / CoE (pipelines, CoE Starter Kit, solution deployment)
    └── Why: Separated admin tooling doesn't interfere with business environments.

Environment Best Practices

  • Lock the Default environment — Every user in your tenant has access to the Default environment. Apply the most restrictive DLP policy here to prevent ungoverned app creation.
  • One production environment per business unit — Prevents cross-department permission conflicts and simplifies data residency compliance.
  • Developer sandboxes auto-expire — Set developer environments to auto-delete after 30-60 days to prevent sprawl.
  • Never develop directly in production — Enforce this through environment maker role restrictions.

DLP (Data Loss Prevention) Policies

DLP policies control which connectors can be used together. They prevent data from flowing between business and non-business systems without explicit approval.

Policy: "Enterprise Default"
Applied to: All environments except developer sandboxes

Business Data Group (connectors can interact with each other):
  ✅ SharePoint, Outlook, Teams, OneDrive
  ✅ Dataverse, Dynamics 365
  ✅ Azure SQL, Azure Blob Storage
  ✅ Power BI
  ✅ Approvals

Non-Business Data Group:
  ⚠️ HTTP connector (webhook only — requires custom connector approval)
  ⚠️ SQL Server (on-premises — requires gateway approval)
  ⚠️ Twitter, other social connectors (limited business use)

Blocked:
  ❌ Anonymous web requests (prevents data exfiltration)
  ❌ Unapproved custom connectors (requires IT review)
  ❌ Desktop flows to unmanaged machines

DLP Pitfall: If you block the HTTP connector entirely, makers cannot call any external API — including legitimate business APIs. Instead, require custom connectors with explicit API endpoints approved by IT. Custom connectors give you visibility and control that raw HTTP does not.

CoE Starter Kit Setup

Microsoft’s free toolkit provides the foundation for Power Platform administration. It inventories every app, flow, and connector in your tenant and provides automated governance workflows.

Core Components

ComponentPurposeSetup Effort
InventoryDiscovery of all apps, flows, connectors, makers across all environments2-4 hours
Admin moduleCompliance tracking, environment management dashboards4-8 hours
GovernanceArchival policies, approval workflows for premium connectors4-8 hours
NurtureMaker community portal, training tracking, welcome flow2-4 hours
AuditUsage analytics, orphaned resource detection, license optimization2-4 hours

Key Automations to Configure

Every CoE should have these automations running from day one:

1. New app created → Notify CoE team + assign compliance review within 5 business days
2. App uses premium connector → Require business justification + manager approval
3. App unused for 90 days → Send warning to maker → Archive after 120 days if no response
4. DLP violation detected → Block execution + notify admin + log violation
5. New maker joins → Welcome email with training resources + community links
6. App shared with > 50 users → Trigger ALM review (should be in managed environment)
7. Custom connector created → Require IT security review before approval
8. Flow error rate > 10% → Notify maker + CoE for investigation

Prerequisites

Before deploying the CoE Starter Kit, ensure:

  • Premium licensing — The CoE Starter Kit requires Power Apps per-user or per-app licenses (not included in Microsoft 365)
  • Dataverse environment — The kit stores its data in Dataverse
  • Service account — A dedicated service account (not a personal admin account) for running CoE flows
  • Admin consent — Global admin or Power Platform admin role for initial setup

Citizen Developer Program

The citizen developer program is the human side of the CoE. Without structured training and governance tiers, makers create apps that work but cannot be maintained, secured, or scaled.

Governance Tiers

TierWhoCan BuildGovernance LevelLicense Needed
ExplorerAny employee who completes fundamentals trainingPersonal productivity apps (no custom connectors)Default DLP, self-service, apps auto-expireMicrosoft 365 (included)
MakerCompleted advanced training + code reviewDepartment apps shared with teamsCode review by CoE, monthly audit, managed environmentsPower Apps per-app
Pro DeveloperIT/Dev team membersEnterprise solutions, custom connectors, integrationsFull ALM pipeline, CI/CD, source control, managed environmentsPower Apps per-user

Training Path

Each governance tier requires specific training milestones:

Explorer Path (4 hours):
  1. Power Platform Fundamentals (self-paced, 2 hours)
  2. DLP and Security Basics (self-paced, 1 hour)
  3. CoE Compliance Quiz (30 minutes, must score 80%+)

Maker Path (16 hours):
  4. Power Apps Canvas App Development (instructor-led, 8 hours)
  5. Power Automate Best Practices (self-paced, 4 hours)
  6. Security & Governance Workshop (instructor-led, 4 hours)
  7. Certification: PL-900 (Power Platform Fundamentals)

Pro Developer Path (40+ hours):
  8. Model-Driven App Development (instructor-led, 16 hours)
  9. Custom Connector Development (self-paced, 8 hours)
  10. ALM & DevOps for Power Platform (instructor-led, 8 hours)
  11. Certification: PL-400 (Power Platform Developer)

Champions Program

Identify 1-2 Power Platform champions per business unit. Champions:

  • Serve as first-line support for makers in their department
  • Escalate governance issues to the CoE team
  • Present at monthly maker community meetings
  • Receive advanced training and early access to new features
  • Report on adoption metrics for their business unit

Monitoring & Metrics

MetricTargetToolReview Frequency
Total apps in productionTrack growth trendCoE Starter Kit DashboardMonthly
Active makers (monthly)Growing month-over-monthCoE AnalyticsMonthly
Orphaned resources< 5% of total resourcesAutomated audit flowWeekly
DLP violationsTrending down after initial setupCoE Compliance DashboardWeekly
Maker satisfaction (NPS)> 40Quarterly surveyQuarterly
Time to deploy (dev→prod)< 2 weeks for standard appsALM pipeline metricsMonthly
Premium license utilization> 70% assigned licenses actively usedLicense dashboardMonthly
Support ticket volumeStable or decreasing (self-service improving)Help desk integrationMonthly

Budget Considerations

ItemCost RangeNotes
Power Apps per-user license$20/user/monthFor Pro Developers and heavy Makers
Power Apps per-app license$5/app/monthFor Explorer-tier apps with limited users
Power Automate premium$15/user/monthRequired for premium connectors
CoE Starter KitFreeMicrosoft-provided, but requires premium licenses to run
Training (external)$500-2,000/personFor instructor-led sessions and certifications
CoE team headcount1 FTE per 200 makersDedicated governance and support

Checklist

  • Environment strategy defined (dev/test/prod separation, Default locked down)
  • DLP policies configured and enforced across all environments
  • CoE Starter Kit deployed with service account and Dataverse
  • Citizen developer tiers defined with training requirements and licensing
  • App lifecycle management (ALM) pipeline established for production apps
  • Orphaned resource detection automated (90-day unused threshold)
  • Monthly governance review cadence set with CoE team
  • Executive sponsor identified with budget authority
  • Champions program launched (1-2 per business unit)
  • Premium license utilization tracked and optimized monthly

:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For Power Platform consulting, visit garnetgrid.com. :::

Jakub Dimitri Rezayev
Jakub Dimitri Rezayev
Founder & Chief Architect • Garnet Grid Consulting

Jakub holds an M.S. in Customer Intelligence & Analytics and a B.S. in Finance & Computer Science from Pace University. With deep expertise spanning D365 F&O, Azure, Power BI, and AI/ML systems, he architects enterprise solutions that bridge legacy systems and modern technology — and has led multi-million dollar ERP implementations for Fortune 500 supply chains.

View Full Profile →

More in ERP & Enterprise

D365 Finance & Operations vs Business Central: Choosing Right

Compare Dynamics 365 Finance & Operations and Business Central. Covers functionality, pricing, complexity, implementation timeline, and decision criteria for mid-market vs enterprise.

Read guide →

How to Plan a D365 Finance & Operations Implementation

Step-by-step guide to Dynamics 365 F&O implementation. Covers fit-gap analysis, ISV selection, data migration, testing strategy, and go-live planning with realistic cost estimates.

Read guide →

Digital Transformation Roadmap

Plan enterprise digital transformation. Covers maturity assessment, technology modernization, organizational change, legacy system migration, and measuring transformation success.

Read guide →