Episode Details

If your first instinct when you hear 'Power Platform' is to hit the disable switch in your admin portal, you’re not alone. A lot of IT leaders think that locking it down is the safest move. But here’s the twist: that quick fix usually creates bigger risks—shadow IT, uncontrolled data flows, and compliance blind spots. So why does disabling the platform backfire almost every time, and what should you do instead? Stay with me, because the answer is not as complicated as you think—it just requires thinking differently about governance.The False Sense of SecurityMany admins view shutting off the Power Platform as the fastest route to safety. It feels straightforward: if people can’t build apps, they can’t introduce new risks. At first glance, this looks like strong governance. But here’s the counterintuitive part: the dashboard will look better, yet risk usually increases. Why? Because what you can’t see often becomes the most difficult to manage. During a Microsoft 365 rollout, the instinct is to clamp down on new tools like Power Platform. The reasoning makes sense—uncertainty is uncomfortable, and you already have SharePoint, Dynamics, and OneDrive. So access gets restricted to test users, emails go out announcing the limits, and leadership believes the issue is resolved. The problem is, business demand doesn’t stop just because IT hit pause. Employees still need faster reporting, automated approvals, and lightweight apps to streamline repetitive tasks. When official tools are blocked, those needs don’t disappear—they’re just met elsewhere. This is where exposure begins: instead of managed apps inside your tenant, you get unsanctioned spreadsheets, consumer cloud services, or third-party automation patched together without oversight. Take a common real-world scenario. An organization disables Power Apps after seeing employees begin to experiment with building small tools. The intent is to avoid “shadow apps” before they spread. But within a short time, those same employees start moving data into personal spreadsheets and wiring up free automations through services like Zapier or Airtable. Result: the immediate problem looks contained—licenses show zero usage—but sensitive business data has slipped outside tenant boundaries, with no backup, retention, or DLP controls. Industry reports and admin experience suggest this pattern is common. When official platforms are blocked, users don’t stop—they pivot. They turn to services like Dropbox, Google Sheets, or personal OneDrive accounts because they can be spun up quickly, with no procurement step. These tools aren’t inherently unsafe, but once financial data, HR records, or customer details end up in them, IT loses visibility. And in regulated sectors, that lack of oversight is more dangerous than the original unmanaged app ever was. The fallout escalates quietly. A workflow that might have been secured within Dataverse now runs on a spreadsheet saved in a personal cloud folder. A set of customer records that could have benefited from corporate retention policies now lives in an unencrypted file share. What looks like risk reduction is actually just risk relocation—moved into spaces where IT has no hooks to monitor, audit, or respond. This is the paradox: choosing “disable” feels safe, but without governance it often produces more exposure, not less. You don’t gain real control by locking a door; you simply encourage workarounds through windows you aren’t watching. True control comes from steering activity into secure, supported lanes, not from blocking the road entirely. And the comfort of seeing usage drop on a report can create an illusion of safety that leaves organizations blind to what’s happening outside their view. That’s the danger of a false sense of security. On paper it looks like risk is gone. In practice, the risks are harder to monitor, the data harder to protect, and the consequences more severe if things go wrong. And that raises the bigger question—when employees ta