Building Apps at Scale in Power Platform? Not for the Faint of Heart… or CoE Security


Enterprises are racing to adopt AI copilots and low-code/no-code platforms to innovate and maximize efficiency by placing powerful technology and development tools in the hands of all business users. While the productivity gains are enormous, so are the security risks, as the nature of these copilots and low-code platforms results in a surge of new business apps being created at the enterprise. Unfortunately, open source toolkits like (the) Center of Excellence (CoE) do not provide requisite security to keep up.

One of the biggest challenges facing organizations in general, and security teams to be specific, is the massive scale of apps, automations, and copilots being built by business users of all technical backgrounds. This is not just tens of applications being built, but hundreds of thousands, and in some cases, millions of individual apps, automations, and copilots that are built across various AI and low-code platforms, and keeping up with all of them, and understanding the individuality of each has never been more complicated. 

Many security teams that we talk to are initially convinced that they can use native tooling provided by the platforms themselves to maintain control over professional and citizen development happening there, but the proof, as they say, is in the pudding. 

This blog aims to discuss both the pro’s and con’s of the Microsoft CoE Toolkit, and highlighting why deeper and more scalable security is inevitably needed. 

Microsoft Center Of Excellence Toolkit 

The Microsoft CoE toolkit is aimed at helping Power Platform administrators manage the various tools that comprise the platform, such as Power Apps, Power Automate, and Copilot Studio. 

Microsoft’s own documentation for the toolkit states, “The Microsoft Power Platform CoE Starter Kit is a collection of components and tools that are designed to help you get started with developing a strategy for adopting and supporting Microsoft Power Platform, with a focus on Power Apps, Power Automate, and Microsoft Copilot Studio.”

You’ll notice the key term ‘get started with’ nestled in there, but it does bear mentioning that the CoE does, in fact, provide a baseline of knowledge, insights, and governance capabilities that can be useful as adoption of Power Platform starts to take hold in the enterprise. 

Challenges in Scale

While providing value to get things off the ground, there are countless stories from users struggling to use it. Despite its popularity as an open-source solution CoE has significant limitations when it comes to supporting large-scale enterprises, or even organizations that are well underway with their adoption of Power Platform.

Reports indicate that CoE security controls struggle to handle organizations with more than 25,000 flows, which is very small compared to the average enterprise, leading to operational disruptions. Zenity research has shown that the average enterprise today has over 500,000 individual apps and copilots that are built using low-code and/or copilot driven development.  

The ease of use of Power Platform is a feature designed to allow more and more people to build more and more apps and copilots, so in order to fully capitalize on the productivity gains, security needs to have a scalable solution that can grow as development grows. However, if we look at some real examples and exchanges, we see that the CoE is simply not designed for this. 

Real World Examples

A GitHub user weighed in of January of 2023 stating, “Our failed environment (default) contains more than 20,000 flows. Do you know how we can proceed…?” The official response from the Microsoft admin overseeing this case, states, “the CoE kit is built on top of the product, and as such bound to platform limitations,” and continues, “If you are hitting limitations with this connector, there’s unfortunately nothing we can do to provide a workaround.” 

Sadly, this is not the only example, with similar cases playing out, here,  here, and here, where platform administrators invariably reach throttling limits or error messages stating that various HTTP requests have failed due to scale.

While frustrating for end users (and for readers following these cases), this challenge in scale actually makes logical sense. While open-source solutions like the CoE offer flexibility and community-driven development, they come with inherent risks and limitations. Further, no one can promise a service level agreement (SLA) or commit to the robustness of the solution, which both varies and balloons from organization-to-organization.

While Microsoft offers a few custom workarounds, these too are limited in nature and do not account for further scale, customization, and individual use cases required across different organizations. 

The Zenity Competitive Edge: Scalability, Performance 

Even for organizations that are adopting just Power Platform, and Power Platform alone, it is evident that a more robust, and scalable solution is needed. This only becomes more apparent when other low-code platforms and copilots are adopted (such as Power BI, Copilot for M365, and Salesforce), but even for just the Power Platform use case, today’s enterprises are in need of a solution that is:

  1. Scalable. Security and governance that is designed to scale effortlessly and able to secure potentially millions of applications without a hitch. This is crucial for enterprises that are rapidly expanding their digital footprint.
  2. Built for Performance. Able and capable of processing vast amounts of data. This ensures that security scans and compliance checks are conducted swiftly and continuously without causing delays or disruptions in business operations.

Zenity Customer Success Stories 

Zenity secures many of the largest Microsoft Power Platform deployments in the world, picking up and managing millions of apps and automations daily, and enabling our customers to scale citizen development without worrying about security, compliance, or business operations hiccups. A Fortune 100 technology company with over 1.5 million resources recently started using Zenity, and within minutes were able to understand the risk landscape of their entire tenant. While previously using the CoE, they had many prior attempts just to try to grasp the size of their tenant with custom in-house tooling but failed due to scaling issues. As the age-old security adage goes, ‘you can’t manage what you don’t know exists,’ and this was certainly the case for this tech giant. 

Enterprise organizations simply can not rely on the Microsoft CoE as a security solution that will serve their existing business needs, not to mention scaling long term to the projected yearly growth. They need to seek out a scalable solution that not only can manage their current deployment, but also grow as they grow, making sure that security is there every step of the way. 

Subscribe to Newsletter

Keep informed of all the latest news and notes within the world of securing and governing citizen development

Thanks for registering to the Zenity newsletter.

We are sure that you will like it and are looking forward to seeing you again soon.