🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided PL-400 Domain 2
Domain 2 — Module 1 of 3 33%
6 of 26 overall

PL-400 Study Guide

Domain 1: Create a Technical Design

  • Solution Architecture: What Goes Where Free
  • Security by Design: Auth, Roles & DLP Free
  • Designing UX Components: Canvas, PCF & Client Scripts Free
  • Designing Platform Extensions: Connectors, Plug-ins & APIs Free
  • Integration & Automation Blueprints Free

Domain 2: Build Power Platform Solutions

  • Environment Setup & Security Troubleshooting
  • Solutions & Layers: ALM Foundations
  • CI/CD Pipelines for Power Platform

Domain 3: Implement Power Apps Improvements

  • Advanced Power Fx & Canvas Components
  • Troubleshoot & Optimise Apps

Domain 4: Extend the User Experience

  • Client Scripting: Form Events & the Client API
  • Commands, Buttons & Custom Page Navigation
  • PCF Components: Build & Lifecycle
  • PCF Components: Package, Deploy & Advanced Features

Domain 5: Extend the Platform

  • The Plug-in Pipeline: How Dataverse Processes Events Free
  • Writing Plug-ins: Business Logic, Service & Registration
  • Custom APIs & Business Events
  • Custom Connectors: OpenAPI & Authentication
  • Custom Connectors: Azure, Policies & Code
  • Dataverse APIs: Web API & Organisation Service
  • Azure Functions for Power Platform
  • Cloud Flows: Dataverse Triggers & Expressions
  • Cloud Flows: Security, Errors & Child Flows

Domain 6: Develop Integrations

  • Publishing Dataverse Events
  • Service Endpoints: Webhooks, Service Bus & Event Hub
  • Data Sync: Change Tracking, Alternate Keys & Upsert

PL-400 Study Guide

Domain 1: Create a Technical Design

  • Solution Architecture: What Goes Where Free
  • Security by Design: Auth, Roles & DLP Free
  • Designing UX Components: Canvas, PCF & Client Scripts Free
  • Designing Platform Extensions: Connectors, Plug-ins & APIs Free
  • Integration & Automation Blueprints Free

Domain 2: Build Power Platform Solutions

  • Environment Setup & Security Troubleshooting
  • Solutions & Layers: ALM Foundations
  • CI/CD Pipelines for Power Platform

Domain 3: Implement Power Apps Improvements

  • Advanced Power Fx & Canvas Components
  • Troubleshoot & Optimise Apps

Domain 4: Extend the User Experience

  • Client Scripting: Form Events & the Client API
  • Commands, Buttons & Custom Page Navigation
  • PCF Components: Build & Lifecycle
  • PCF Components: Package, Deploy & Advanced Features

Domain 5: Extend the Platform

  • The Plug-in Pipeline: How Dataverse Processes Events Free
  • Writing Plug-ins: Business Logic, Service & Registration
  • Custom APIs & Business Events
  • Custom Connectors: OpenAPI & Authentication
  • Custom Connectors: Azure, Policies & Code
  • Dataverse APIs: Web API & Organisation Service
  • Azure Functions for Power Platform
  • Cloud Flows: Dataverse Triggers & Expressions
  • Cloud Flows: Security, Errors & Child Flows

Domain 6: Develop Integrations

  • Publishing Dataverse Events
  • Service Endpoints: Webhooks, Service Bus & Event Hub
  • Data Sync: Change Tracking, Alternate Keys & Upsert
Domain 2: Build Power Platform Solutions Premium ⏱ ~11 min read

Environment Setup & Security Troubleshooting

Set up your development environment the right way. Learn how to manage Power Platform environments, configure Dataverse security roles for code components, and troubleshoot common security issues.

Your developer workspace

☕ Simple explanation

Think of environments like workbenches in a workshop.

You would not build a prototype on the same bench where finished products ship to customers. You have a development bench (experiment freely), a testing bench (check everything works), and a production bench (only finished items go here).

Power Platform environments work the same way. Each environment has its own Dataverse database, security roles, and configurations. As a developer, you need to know how to set up your dev environment, configure the right permissions for your code, and fix things when security blocks your work.

Power Platform environments are isolated containers for apps, flows, data, and configurations. Developers work across a minimum of three: development (for building), test/UAT (for validation), and production (for end users). Each environment has its own Dataverse instance, security roles, DLP policies, and connection configurations.

Configuring security roles for code components requires understanding how plug-ins, custom connectors, PCF components, and cloud flows authenticate and what permissions they need. The principle of least privilege demands that each component receives only the minimum permissions required.

Troubleshooting security issues is a daily developer task — from “my plug-in gets an access denied error” to “my flow cannot connect to Dataverse in production.” The exam tests your ability to diagnose and resolve these common problems.

Environment strategy for developers

EnvironmentPurposeWho Has AccessData
DevelopmentBuild and iterate on solutionsDevelopers, makersSample/test data only
Test / UATValidate before productionQA team, key usersSanitised copy of production data
ProductionLive system for end usersAll licensed usersReal business data
SandboxExperimentation, trainingVariesResettable, disposable

Developer environment best practices

  • One developer per dev environment when possible (avoids solution conflicts)
  • Use developer environments (free, tied to your account) for personal experimentation
  • Never develop directly in production — always build in dev, deploy via solutions
  • Reset sandbox environments regularly to catch “works on my machine” issues
  • Use the Power Platform CLI (pac) to manage environments from the command line
💡 The pac CLI for environment management

The Power Platform CLI (pac) is a developer’s best friend. Key environment commands:

  • pac auth create --environment <url> — authenticate to an environment
  • pac auth list — see all authenticated environments
  • pac org list — list available environments
  • pac org select --environment <env-id> — switch active environment
  • pac solution export --path ./solution.zip — export a solution
  • pac solution import --path ./solution.zip — import a solution

The exam expects you to know these commands and when to use them.

Configuring security roles for code components

Each code component runs with a specific security identity. You must configure the right permissions for that identity.

ComponentRuns AsHow to Configure Permissions
Plug-inCalling user (default) or system userSecurity role on the application user or calling user’s role
Cloud flow (automated)Connection owner or service principalSecurity role on the service principal / app user
PCF componentCurrent user (inherited from app)User’s security role must include access to data the component reads
Custom connectorPer-connection user identityConnection owner’s permissions determine API access
Client scriptCurrent userRuns in browser with current user’s Dataverse Web API permissions

Least privilege in practice

Bad: Give the plug-in’s application user the System Administrator role (has access to everything).

Good: Create a custom security role with only the specific table/column permissions the plug-in needs:

  • Read on Contact table (Organisation-level, because it reads any contact)
  • Write on Account table (Organisation-level, because it updates any account)
  • No permissions on any other table
Question

What is a developer environment in Power Platform?

Click or press Enter to reveal answer

Answer

A free, personal environment tied to a developer's Microsoft 365 account. It has a Dataverse database and is meant for individual experimentation and learning. It does not count against the organisation's environment quota. Reset it when you need a clean slate.

Click to flip back
Question

How does a plug-in authenticate to Dataverse?

Click or press Enter to reveal answer

Answer

By default, a plug-in runs in the security context of the calling user (the person or system that triggered the event). You can configure it to run as the plug-in's registered application user instead. The application user's security role determines what data the plug-in can access.

Click to flip back
Question

What pac CLI command exports a solution from an environment?

Click or press Enter to reveal answer

Answer

pac solution export --path ./solution.zip — This exports the current solution from the active authenticated environment. Use pac auth create first to authenticate, then pac org select to choose the environment.

Click to flip back

Troubleshooting security issues

Common security problems developers encounter and how to diagnose them:

SymptomLikely CauseHow to Fix
Plug-in throws “access denied”Application user lacks permissions on the target tableAdd the required table privilege to the app user’s security role
Flow fails with “insufficient permissions”Connection reference mapped to a user without the right roleMap to a service principal with appropriate permissions
PCF component shows no dataUser’s security role does not include Read on the data tableAdd Read permission to the user’s security role for that table
Custom connector fails in productionDLP policy blocks the connector group combinationReclassify the custom connector in the production DLP policy
Canvas app shows “You don’t have permission”User not assigned a security role in the target environmentAssign the appropriate security role in the admin centre
💡 Scenario: Kai troubleshoots a plug-in error

Kai Nakamura is a developer at LogiFlow. His new plug-in validates shipment data and creates an audit record in a Log table. It works perfectly in his dev environment but throws “SecLib::AccessCheckEx” errors in the test environment.

Diagnosis: The plug-in runs as an application user. In dev, that user has System Administrator (Kai was lazy). In test, it has a restricted role that does not include Create permission on the Log table.

Fix: Add Create permission on the Log table to the application user’s security role in the test environment. Then remove System Administrator from the dev environment too — develop with production-like permissions to catch these issues early.

Knowledge Check

Kai's automated cloud flow creates Shipment records in Dataverse. The flow works when Kai tests it manually but fails in production with 'The user does not have permission to create records.' The flow uses a connection reference. What should Kai investigate first?

🎬 Video coming soon

Next up: Solutions & Layers — understanding managed vs unmanaged solutions, dependencies, and environment variables.

← Previous

Integration & Automation Blueprints

Next →

Solutions & Layers: ALM Foundations

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.