Power Pages Is a Security Boundary, Not Just a Website Builder
External identity, table permissions and web roles require deliberate design because the audience sits outside the tenant.
Power Pages can expose Dataverse-backed services quickly. The low-code surface does not make the internet-facing trust boundary any smaller.
Design authentication, web roles, table permissions and record relationships together. Test anonymous and authenticated paths with users who have no internal privileges. Never assume a hidden page or filtered list protects the underlying table.
Minimise exposed columns and operations. Review Liquid, APIs and custom JavaScript as application code. Monitor registration, access and suspicious behaviour.
Treating the site as a simple content project is how convenient configuration becomes unintended disclosure. Test table permissions as an attacker would: against the API and records, not only against what the page happens to render.