docs(audit): Power Platform pattern catalog (closes #336)

[Daren9m]

Summary

Resolves spike #336. Thirteenth domain audit under v3.4.0 umbrella (#326). Ships docs/audits/power-platform.md.

Resolves the PBI/POWERBI duplication chore from #333.

The headline finding

Inverse of typical: too much duplicate Power BI coverage and zero coverage of the broader Power Platform.

	Coverage
Power BI tenant settings	26 existing checks (with 11 confirmed duplicate pairs)
Power Apps / Power Automate	0 checks
Tenant isolation	0 checks
Environment hygiene	0 checks
Power Platform DLP	0 checks
Copilot governance	0 checks

11 confirmed PBI/POWERBI duplicate pairs

Control intent	PBI-*	POWERBI-*
Block ResourceKey Auth	PBI-AUTH-001	POWERBI-AUTH-001
API access by SP restricted	PBI-API-001	POWERBI-AUTH-002
SP profile creation	PBI-PROFILE-001	POWERBI-AUTH-003
Guest user access	PBI-GUEST-001	POWERBI-GUEST-001
External invitations	PBI-INVITE-001	POWERBI-GUEST-002
Guest content access	PBI-CONTENT-001	POWERBI-GUEST-003
Sensitivity labels	PBI-LABELS-001	POWERBI-INFOPROT-001
Publish to web	PBI-PUBLISH-001	POWERBI-SHARING-001
R/Python visuals	PBI-SCRIPT-001	POWERBI-SHARING-002
Shareable links	PBI-LINK-001	POWERBI-SHARING-003
External data sharing	PBI-SHARING-001	POWERBI-SHARING-004

Plus 3 PBI-TENANT-* meta-checks that overlap further.

Coverage matrix

Category	Total	Covered	Refresh	Gaps
Tenant isolation	3	0	0	3
Environment hygiene	5	0	0	4
DLP policy coverage	6	0	0	5
Sharing controls	4	2 (Power BI side)	0	1
Copilot governance	3	0	0	3
Anti-patterns	6	1	0	1 unique
Total	23 unique	3	0	17 net to file + 11 dedup pairs

Threat-pattern map highlights

Compromise pattern	Tradecraft	Primary control
Citizen-developer data exfil via flow	Compromised user creates Power Automate flow that emails CSV to attacker mailbox	DLP HTTP / external-email connector restriction
Cross-tenant data flow via guest maker	Guest from partner tenant builds flow pulling from your env	Tenant isolation enabled
Default-environment proliferation	Every licensed user is auto-Maker, accumulating ungoverned apps/flows	Default environment lockdown (the #1 Power Platform governance recommendation per CoE Starter Kit)
Personal-cloud connector to enterprise data	Flow combines OneDrive (Business) + Personal-OneDrive (Non-Business)	Connector classification + cross-classification block
Custom HTTP connector → arbitrary egress	Maker creates custom connector to attacker URL	Custom connector evaluation + HTTP connector class
Copilot grounding leak across sensitivity classes	Confidential content surfaces in Copilot response for unprivileged user	Sensitivity-label enforcement on Copilot grounding

Fourth canonical data file proposed

data/power-platform-connectors.json — curated reference of Power Platform connectors with recommended classifications (Business / Non-Business / Blocked).

This is now the fourth canonical reference data file proposed across the audit work:

• data/role-tiers.json (spike: research privileged access patterns (PIM, role assignments, emergency access) #328)
• data/microsoft-first-party-appids.json (data: introduce data/microsoft-first-party-appids.json (canonical Microsoft owner-tenant + AppId allowlist) #361)
• data/transport-rule-actions.json (proposed spike: research mail flow patterns (transport rules, connectors, forwarding, inbox rule audit) #339)
• data/power-platform-connectors.json (this PR)

Worth coordinating as a v3.5 release theme: "canonical reference data layer for cross-consumer M365 governance."

Detection-method first: Power Platform admin PowerShell

This is the first audit where detection lives in Microsoft.PowerApps.Administration.PowerShell, separate from both Graph and Exchange Online PowerShell. Auth uses a different consent flow than Graph (explicit Power Platform admin role + tenant-level consent in the PP admin center).

Power BI side uses yet another module (MicrosoftPowerBIMgmt).

Files

• docs/audits/power-platform.md — 328 lines
• CHANGELOG.md — [Unreleased] / Documentation entry

Test plan

• Pester tests/registry-integrity.Tests.ps1 + tests/framework-definitions.Tests.ps1 — 268/268 pass locally
• All 26 Power BI checks inventoried; 11 duplicate pairs confirmed
• Cross-references to spike issues (spike: research external collaboration patterns (B2B, cross-tenant access, guest controls) #333, spike: research Purview DLP, sensitivity label, and retention patterns #335) link correctly
• CI: validate-data + Pester jobs (no expected impact)

Out of scope

• Application-level Power App security (per-app data sources, RBAC) — too org-specific
• Power BI report-level sensitivity labels — spike: research Purview DLP, sensitivity label, and retention patterns #335 (Purview)
• Dataverse RLS / column security — out of audit scope
• Power Automate runtime telemetry — runtime, not config
• Sign-in patterns for Power Platform admin portal — runtime telemetry

Progress on v3.4.0 audit umbrella

13 of 14 domain audits done. Identity stack done. Collaboration triad done. Mail flow + Intune + MDCA done. Power Platform now done.

Last remaining: #335 Purview — DLP + sensitivity labels + retention. Largest scope, most distinct from prior audits, and the cross-spike target for several open consolidations (#337 sensitivity-label site protection, #340 Teams sensitivity labels, #336 Copilot grounding labels).

🤖 Generated with Claude Code

[github-actions]

Content enrichment population

Overall (1105 checks): rationale 26.3% (291/1105) • impact 26.3% (291/1105) • references 26.3% (291/1105)

Framework	n	rationale	impact	references
cis-controls-v8	1020	25.1% (256/1020)	25.1% (256/1020)	25.1% (256/1020)
cis-m365-v6	180	100.0% (180/180)	100.0% (180/180)	100.0% (180/180)
cisa-scuba	52	100.0% (52/52)	100.0% (52/52)	100.0% (52/52)
cmmc	1080	26.3% (284/1080)	26.3% (284/1080)	26.3% (284/1080)
eidsca	21	100.0% (21/21)	100.0% (21/21)	100.0% (21/21)
essential-eight	630	22.2% (140/630)	22.2% (140/630)	22.2% (140/630)
fedramp	1072	27.1% (291/1072)	27.1% (291/1072)	27.1% (291/1072)
gdpr	11	100.0% (11/11)	100.0% (11/11)	100.0% (11/11)
hipaa	501	33.3% (167/501)	33.3% (167/501)	33.3% (167/501)
iso-27001	1020	26.6% (271/1020)	26.6% (271/1020)	26.6% (271/1020)
iso-27002	1020	26.6% (271/1020)	26.6% (271/1020)	26.6% (271/1020)
iso-27017	1012	26.0% (263/1012)	26.0% (263/1012)	26.0% (263/1012)
mitre-attack	892	30.7% (274/892)	30.7% (274/892)	30.7% (274/892)
nis2	311	25.7% (80/311)	25.7% (80/311)	25.7% (80/311)
nist-800-171	1080	26.3% (284/1080)	26.3% (284/1080)	26.3% (284/1080)
nist-800-53	1072	27.1% (291/1072)	27.1% (291/1072)	27.1% (291/1072)
nist-csf	826	31.1% (257/826)	31.1% (257/826)	31.1% (257/826)
pci-dss	1052	26.3% (277/1052)	26.3% (277/1052)	26.3% (277/1052)
soc2	1103	26.4% (291/1103)	26.4% (291/1103)	26.4% (291/1103)
stig	13	100.0% (13/13)	100.0% (13/13)	100.0% (13/13)

Informational only — does not gate the build. The hard release-gate for Critical/High enrichment lives in #281 (v3.2.0).

[github-actions]

Framework mapping count delta

Framework	main	this PR	Δ	Δ%	Status
cis-controls-v8	1020	1020	0	+0.00%	✓ OK
cis-m365-v6	180	180	0	+0.00%	✓ OK
cisa-scuba	52	52	0	+0.00%	✓ OK
cmmc	1080	1080	0	+0.00%	✓ OK
eidsca	21	21	0	+0.00%	✓ OK
essential-eight	630	630	0	+0.00%	✓ OK
fedramp	1072	1072	0	+0.00%	✓ OK
gdpr	11	11	0	+0.00%	✓ OK
hipaa	501	501	0	+0.00%	✓ OK
iso-27001	1020	1020	0	+0.00%	✓ OK
iso-27002	1020	1020	0	+0.00%	✓ OK
iso-27017	1012	1012	0	+0.00%	✓ OK
mitre-attack	892	892	0	+0.00%	✓ OK
nis2	311	311	0	+0.00%	✓ OK
nist-800-171	1080	1080	0	+0.00%	✓ OK
nist-800-53	1072	1072	0	+0.00%	✓ OK
nist-csf	826	826	0	+0.00%	✓ OK
pci-dss	1052	1052	0	+0.00%	✓ OK
soc2	1103	1103	0	+0.00%	✓ OK
stig	13	13	0	+0.00%	✓ OK

Result: ✓ PASS — no framework mapping regressions detected.