Power Pages

Power Pages Security Hardening Checklist for 2026

A practical security checklist for hardening Power Pages portals — authentication, table permissions, WAF, CAPTCHA, rate limiting, secrets and audit.

KIT Consulting Team 6 min read

Every external-facing portal is a target. The default Power Pages setup is reasonable; production-grade is harder. This checklist is what we run for clients before launch.

1. Authentication

  • Disable any auth providers you don't need (yes, this matters — every enabled provider is a surface).
  • Enforce MFA on all administrative roles.
  • For Entra External ID, configure conditional access policies (location, device, risk).
  • Set realistic password policies (length over complexity, breach detection if available).
  • Configure session lifetimes — shorter for higher-risk roles.

2. Table permissions audit

The single biggest source of Power Pages data leaks is misconfigured table permissions:

  • Audit every table permission. Confirm scope (Global / Contact / Account / Self / Parent) is the least required.
  • Verify cascading parent permissions. A "Global Read" on Cases via parent Account is rarely intended.
  • Check inherited permissions don't widen access unexpectedly.
  • Test as every web role with a fresh anonymous browser session.
  • Document the matrix: web role × table × scope × create/read/update/delete.

3. Form and list security

  • Disable view fields you don't want exposed (even if hidden in CSS, the API returns them).
  • For forms, lock down which fields can be created vs updated by web role.
  • Validate all input server-side; never trust client validation.
  • For file uploads, restrict by MIME, size and storage location.

4. Web Application Firewall (WAF)

Enable the Power Pages WAF (or front your portal with Azure Front Door / Application Gateway WAF):

  • OWASP rule sets enabled.
  • Bot mitigation on.
  • Rate limiting per IP (e.g., 60 req/min per anonymous IP).
  • Geo-blocking for countries you don't serve.
  • Custom rules for your specific abuse patterns.

Test your WAF with a controlled load test before believing it works.

5. CAPTCHA on public forms

Every anonymous-facing form (contact, registration, support intake) needs:

  • reCAPTCHA / hCAPTCHA / Microsoft Turnstile.
  • Server-side verification (don't just check client-side).
  • Honeypot field as a second line.

Without these, expect spam in the first week.

6. Secrets and configuration

  • No secrets in Liquid, page content, or web files.
  • Secrets in Power Pages Environment Variables referencing Azure Key Vault.
  • For external service credentials, use managed identity wherever supported.
  • Rotate keys at least quarterly.

7. Content Security Policy (CSP)

Enable CSP headers:

  • Whitelist your domains, CDN, analytics.
  • Block inline scripts where possible.
  • Report-only mode first to find violations, then enforce.

8. Cross-Site Request Forgery (CSRF)

  • Power Pages handles CSRF tokens for native forms automatically. Don't disable.
  • Custom AJAX endpoints must verify CSRF tokens.
  • For external form submissions, validate Referer and Origin headers.

9. Audit and logging

  • Application Insights wired for errors and unusual activity.
  • Dataverse audit on for sensitive tables.
  • Log authentication attempts (success and failure).
  • Centralize logs to Microsoft Sentinel or your SIEM if you have one.
  • Retention: 90 days minimum, 1 year preferred for security-relevant logs.

10. Custom code review

Every line of custom JavaScript / Liquid you add is a potential vulnerability:

  • No eval(), no inline script tags from user-influenced data.
  • Sanitize any user-rendered content (XSS).
  • Validate JSON payloads server-side.
  • Code review by a second engineer before promotion to production.

11. Penetration testing

Before go-live:

  • Run an automated scan (OWASP ZAP, Burp Community).
  • Engage a third-party pentest for production-grade portals.
  • Triage findings; fix Highs and Mediums before launch.
  • Re-test after fix.

12. Patch and update cadence

  • Power Pages itself updates monthly. Stay current.
  • Custom JavaScript libraries — track CVEs (use Dependabot or equivalent).
  • Custom code changes go through CI with security linting.

13. Incident response

Have a written runbook:

  • How to disable the portal in an emergency.
  • How to rotate authentication keys.
  • How to lock specific roles or contacts.
  • Who in your org gets paged. And their backup.

FAQs

Is Power Pages compliant with HIPAA / SOC 2 / ISO 27001? The platform is. Your specific implementation must be configured to meet the controls. Microsoft publishes compliance documentation per service.

Can we put Power Pages behind Azure Front Door? Yes — recommended for enterprise deployments. Gives you WAF, global routing, custom certificates and additional caching.

Should we run a bug bounty? For consumer-facing portals at scale, yes. Start with HackerOne or Bugcrowd's managed offerings.

What about DDoS? Azure provides baseline DDoS protection. For high-value targets, enable Azure DDoS Protection Standard plus front the portal with Front Door.

We do Power Pages security audits as a fixed-price 1-week engagement. Output: detailed findings, remediation plan, and re-test after fixes. Request the audit scope.

#Power Pages #Security #WAF #Hardening

Ready to talk to a Microsoft expert?

Book a 30-minute working session with our MVP team. No slides, just answers.

Book a Discovery Call
Keep reading

Related insights

Power Pages

External Self-Service Portals on Power Pages: Patterns That Convert

Architecture and UX patterns for Power Pages self-service portals — partner, customer and citizen — covering authentication, deflection, performance and accessibility.