Working with Power Pages in Dev and UAT environments, I discovered that the visibility can be quickly switched to Public, thus exposing unfinished portals. To prevent this from happening, Microsoft has introduced a governance control which enables the restriction of visibility to external parties in case of non-production Power Pages sites. Below, you can find the details about this process.
Use Case
Let us consider an example. For instance, you are creating a Power Pages website for a bank. The developer and his/her colleagues develop various modules of the website such as login pages, application forms for loans, and others. While developing, your colleague publishes the website by mistake. In this case, the website will be accessible to everyone who has the URL address. Everyone on the Internet will be able to visit the site just by using the link. In case this option is enabled, users will not be able to make the site public unless they have the required administrative permissions. This means even if someone tries to change the site visibility, it will be restricted and require proper admin approval. This adds an extra layer of security and helps prevent accidental exposure of the site
Note: When the feature is initially enabled, the policy set by default is ‘None’. Therefore, no site is visible externally.
Step-by-Step Implementation
Step-by-Step Implementation- Redirect and sign in to the Power Platform Admin Center.
- Set Governance Controls option: Manage → Power Pages → Governance Controls
- From the dropdown, select:
“Set site visibility to public access for non-production sites”
- Select the environment where you want to apply this governance control.
- Configure Policy Value
Choose one of the site visibility options based on your requirements:
- None (Default) – Makers cannot make non-production sites public. All sites remain private best for Strict security environments
- All-Makers can make any non-production site public or private. Best for Flexible development environments
- All sites except specific sites – Except the ones you explicitly restrict. Best for partial control.
- Specific sites – Only selected sites can be made public. All others remain restricted. Best for controlled exposure.
- Save Changes
Click Save to apply the configuration.
Working
Once this is configured, the control is applied at the tenant level and makers must follow the defined visibility rules. They can only make sites public based on the policy set by the admin, which helps prevent accidental exposure. This ensures that development and UAT sites remain secure, and only approved sites are exposed publicly.
Notes
- This control only applies to non-production sites
- It does not affect production environments
- Changes are reflected directly in the maker’s experience
Conclusion
The ability to control the visibility settings for non-production sites is easy and beneficial for development purposes. Prevents accidental data leaks and unnecessary public exposure of sites under development/testing. In my opinion, once enabled, makes it easier for makers to understand the rules.