These scripts automate managing (create, update, get, delete) Power Platform Enterprise Policies as Azure resources.
In addition, we are providing sample scripts on how to associate these policies with Power Platform environments.
Please note that these scripts are provided under MIT license and its usage is the sole responsibility of the user.
-
Install modules script : This script installs the required modules to run Enterprise Policies scripts.
Script name: InstallPowerAppsCmdlets.ps1
Run the script to import required PowerShell modules. -
Setup Azure subscription for Microsoft.PowerPlatform : This script registers the Azure subscription for Microsoft.PowerPlatform resource provider
and also allow lists the subscription for enterprisePoliciesPreview feature.
Script name : SetupSubscriptionForPowerPlatform.ps1
Run the script to setup Azure subscription for Microsoft.PowerPlatform
The CMK scripts are present in folder Cmk at current location
- Create CMK Enterprise Policy : This script creates a CMK enterprise policy
Script name : CreateCMKEnterprisePolicy.ps1
Input parameters :- subscriptionId : The subscriptionId where CMK enterprise policy needs to be created
- resourceGroup : The resource group where CMK enterprise policy needs to be created
- enterprisePolicyName : The name of the CMK enterprise policy resource
- enterprisePolicyLocation : The Azure geo where CMK enterprise policy needs to be created. Example: unitedstates, europe, australia.
To get the complete supported locations for enterprise policy, below command can be used:
((Get-AzResourceProvider -ProviderNamespace Microsoft.PowerPlatform).ResourceTypes | Where-Object ResourceTypeName -eq enterprisePolicies).Locations - keyVaultId : The ARM resource ID of the key vault used for CMK
- keyName : The name of the key in the key vault used for CMK
- keyVersion: The version of the key in the key vault used for CMK
Sample Input :
Sample Output :
- Get CMK Enterprise Policy By ResourceId : The script gets a CMK enterprise policy by ARM resourceId
Script name : GetCMKEnterprisePolicyByResourceId.ps1
Input parameter :- enterprisePolicyArmId : The ARM resource ID of the CMK Enterprise Policy
Sample Input :
Sample Output :
- Get CMK Enterprise Policies in Subscription : The script gets all CMK enterprise policies in an Azure subscription
Script name : GetCMKEnterprisePoliciesInSubscription.ps1
Input parameter :- subscriptionId: : The Azure subscription Id
Sample Input :
Sample Output :
- Get CMK Enterprise Policies in Resource Group : The script gets all CMK enterprise policies in an Azure resource group
Script name : GetCMKEnterprisePoliciesInResourceGroup.ps1
Input parameters :- subscriptionId : The Azure subscription Id
- resourceGroup : The Azure resource group
Sample Input :
Sample Output :
- Validate Azure Key Vault : This script checks if the Key Vault is setup correctly according to the pre-requisites required by the Power Platform CMK Enterprise Policy. For details please follow the setup instructions at https://learn.microsoft.com/power-platform/admin/customer-managed-key#create-encryption-key-and-grant-access
Following major validations are performed:- Soft-delete is enabled for key vault: Please follow the instructions at
https://learn.microsoft.com/azure/key-vault/general/soft-delete-change to update the soft delete property. - Purge protection is enabled for key vault: Please follow the istructions at
https://learn.microsoft.com/azure/key-vault/general/key-vault-recovery?tabs=azure-portal to get details about enabling Purge Protection - "Key Vault Crypto Service Encryption User" role assignment is present for the given enterprise policy if key vault permission model is Azure role based access control.
- Access policies of GET, UNWRAPKEY, WRAPKEY are added to the key vault for the given enterprise policy if key vault permission model is vault access policy.
- Key configured for the given enterprise policy is present, enabled, activated and not expired.
- Soft-delete is enabled for key vault: Please follow the instructions at
Script name : ValidateKeyVaultForCMK.ps1
Input parameters:
- subscriptionId : The Azure subscription Id of the Key Vault
- keyVaultName : The name of the key Vault
- enterprisePolicyArmId : The CMK enterprise policy ARM Id
Sample Input :
Sample Output :
- Update CMK Enterprise Policy : This script updates a CMK Enterprise Policy. The updates allowed are for keyVaultId, keyName, keyVersion.
If you are changing only some of the allowed parameter values, provide “N/A” when prompted for the parameters that you don’t want to change.
If the enterprise policy is associated with one or more environments, the update operation will fail, and the script will return an error.
Script name : UpdateCMKEnterprisePolicy.ps1
Input parameters :- subscriptionId : The Azure subscription Id of the CMK Enterprise Policy
- resourceGroup : The Azure resource group of the CMK Enterprise Policy
- enterprisePolicyName : The name of the CMK enterprise policy that needs to be updated
- keyVaultId : The ARM resource ID of the key vault if it needs to be updated. Provide "N/A" if update is not required for key vault Id
- keyName: The name of the key if it needs to be updated. Provide "N/A" if update is not required for name of the key
- keyVersion: The version of the key if it needs to be updated. Provide "N/A" if update is not required for version of the key
Sample Input :
Sample Output :
- Delete CMK Enterprise Policy : This script deletes the CMK Enterprise Policy for a given policy Id.
If the CMK enterprise policy is associated with one or more environments, the delete operation will fail, and the script will return an error.
Script name : RemoveCMKEnterprisePolicy.ps1
Input parameter :- policyArmId : The ARM ID of the CMK enterprise policy to be deleted
Sample Input :
Sample Output :
- Set CMK for an environment : This script applies a CMK enterprise policy to a given Power Platform environment.
The script adds the environment to the enterprise policy and optionally polls for the operation outcome.
Script name : AddCustomerManagedKeyToEnvironment.ps1
Input parameters :- environmentId : The Power Platform environment ID
- policyArmId : The ARM ID of the CMK Enterprise Policy
Sample Input :
Sample Output :
- Get CMK for an environment : This script returns the CMK enterprise policy if applied to a given Power Platform environment.
Script name : GetCMKEnterprisePolicyForEnvironment.ps1
Input parameter :- environmentId : The Power Platform environment ID
Sample Input :
Sample Output :
- Remove CMK from an environment : The script removes the CMK enterprise policy from an environment,
which results on data to be encrypted with a Microsoft managed encryption key.
Script name : RemoveCustomerManagedKeyFromEnvironment.ps1
Input parameters :- environmentId : The Power Platform environment ID
- policyArmId: The ARM ID of the CMK Enterprise Policy
Sample Input :
Sample Output :
The Subnet Injection scripts are present in folder SubnetInjection at current location
This script adds the subnet delegation for Microsoft.PowerPlatform/enterprisePolicies for a given virtual network and subnet
Script name : SetupVnetForSubnetDelegation.ps1
Input parameters :
- virtualNetworkSubscriptionId : The subscriptionId of the virtual network
- virtualNetworkName : The name of the virtual network
- subnetName : The name of the virtual network subnet
Sample Input :
Sample Output :
This script creates a Subnet Injection enterprise policy
Script name : CreateSubnetInjectionEnterprisePolicy.ps1
Input parameters :
- subscriptionId : The subscriptionId where Subnet Injection enterprise policy needs to be created
- resourceGroup : The resource group where Subnet Injection enterprise policy needs to be created
- enterprisePolicyName : The name of the Subnet Injection enterprise policy resource
- enterprisePolicyLocation : The Azure geo where Subnet Injection enterprise policy needs to be created. Example: unitedstates, europe, australia.
To get the complete supported locations for enterprise policy, below command can be used:
((Get-AzResourceProvider -ProviderNamespace Microsoft.PowerPlatform).ResourceTypes | Where-Object ResourceTypeName -eq enterprisePolicies).Locations
- primaryVnetId : The ARM resource ID of the primary virtual network used for Subnet Injection
- primarySubnetName : The name of the subnet in the primary virtual network that will be used for Subnet Injection
- secondaryVnetId : The ARM resource ID of the secondary virtual network used for Subnet Injection
- secondarySubnetName : The name of the subnet in the secondary virtual network that will be used for Subnet Injection
Sample Input :
Sample Output :
The script gets a Subnet Injection enterprise policy by ARM resourceId
Script name : GetSubnetInjectionEnterprisePolicyByResourceId.ps1
Input parameter :
- enterprisePolicyArmId : The ARM resource ID of the Subnet Injection Enterprise Policy
Sample Input :
Sample Output :
The script gets all Subnet Injection enterprise policies in an Azure subscription
Script name : GetSubnetInjectionEnterprisePoliciesInSubscription.ps1
Input parameter :
- subscriptionId: : The Azure subscription Id
Sample Input :
Sample Output :
The script gets all Subnet Injection enterprise policies in an Azure resource group
Script name : GetSubnetInjectionEnterprisePoliciesInResourceGroup.ps1
Input parameters :
- subscriptionId : The Azure subscription Id
- resourceGroup : The Azure resource group
Sample Input :
Sample Output :
This script updates a Subnet Injection Enterprise Policy. The updates allowed are for primary/secondary virtual network Id and/or primary/secondary subnet name.
If you are changing only some of the allowed parameter values, provide “N/A” when prompted for the parameters that you don’t want to change.
If the enterprise policy is associated with one or more environments, the update operation will fail, and the script will return an error.
Script name : UpdateSubnetInjectionEnterprisePolicy.ps1
Input parameters :
- subscriptionId : The Azure subscription Id of the Subnet Injection Enterprise Policy
- resourceGroup : The Azure resource group of the Subnet Injection Enterprise Policy
- enterprisePolicyName : The name of the Subnet Injection enterprise policy that needs to be updated
- primaryVnetId : The ARM resource ID of the primary virtual network if it needs to be updated. Provide "N/A" if update is not required for the primary virtual network Id
- primarySubnetName: The name of the subnet in the primary virtual network if it needs to be updated. Provide "N/A" if update is not required for name of the subnet in the primary virtual network
- secondaryVnetId : The ARM resource ID of the secondary virtual network if it needs to be updated. Provide "N/A" if update is not required for the secondary virtual network Id
- secondarySubnetName: The name of the subnet in the secondary virtual network if it needs to be updated. Provide "N/A" if update is not required for name of the subnet in the secondary virtual network
Sample Input :
Sample Output :
This script applies a Subnet Injection enterprise policy to a given Power Platform environment.
The script adds the environment to the enterprise policy and optionally polls for the operation outcome.
Script name : NewSubnetInjection.ps1
Input parameters :
- environmentId : The Power Platform environment ID
- policyArmId : The ARM ID of the Subnet Injection Enterprise Policy
Sample Input :
Sample Output :
This script returns the Subnet Injection enterprise policy if applied to a given Power Platform environment.
Script name : GetSubnetInjectionEnterprisePolicyForEnvironment.ps1
Input parameter :
- environmentId : The Power Platform environment ID
Sample Input :
Sample Output :
The script removes the Subnet Injection enterprise policy from an environment,
Script name : RevertSubnetInjection.ps1
Input parameters :
- environmentId : The Power Platform environment ID
- policyArmId: The ARM ID of the Subnet Injection Enterprise Policy
Sample Input :
Sample Output :
