Automatic Redirect Users to Specific Environment Power Platform Environment Routing
When developing modern applications, we often work with multiple environments — Development, Testing, Staging, and Production. Managing how requests flow across these environments can get complicated, especially in cloud-based or distributed architectures.
That’s where Environment Routing comes into play.
Watch the video below to learn or scroll down to readd it.
Managing multiple environments in the Power Platform — such as Development, UAT, Staging, and Production — can be challenging, especially in large organizations. To streamline governance and ensure that users land in the right environment, Microsoft provides Environment Routing Rules combined with Security Groups.
These features help control who gets access to which environment — automatically, securely, and in line with your organization’s policies.
🔍 What is Environment Routing?
Environment Routing in Power Platform determines which environment a user is directed to when they sign in to a Power Apps portal (like make.powerapps.com) for the first time.
When new users in your tenant access Power Platform, the system can route them automatically to a designated environment (often a Default or Onboarding environment).
⚙️ Why Environment Routing is Important
Environment routing ensures:
- ✅ Users only see environments relevant to them
- 🔒 Security boundaries between environments are respected
- ⚙️ Admins can automate environment access without manual intervention
- 🧭 New users are guided to the right starting environment (no confusion)
🧩 Role of Security Groups in Environment Routing
Each Power Platform environment can be associated with an Azure AD Security Group.
Only users within that group can access or even see the environment.
🔐 How it Works:
- You create or assign an Azure AD Security Group to your environment.
- Only members of that group will see and be able to use the environment in Power Apps, Power Automate, or Power Pages.
- If a user is not in the group, they will be routed to another accessible environment (or none, depending on routing rules).
🛠️ How to Configure Environment Routing with Security Groups
Step 1: Create an Azure AD Security Group
- Go to Microsoft Entra Admin Center → Groups → New Group
- Type: Security
- Assign a clear name like “PowerPlatform-Dev-Users”
- Add users who should access that environment
Step 2: Assign the Security Group to the Environment
- Sign in to the Power Platform Admin Center → https://admin.powerplatform.microsoft.com
- Select Environments → Choose your environment (e.g., Development)
- Click on Edit under Security Group
- Select the Azure AD group you created
🔸 Only members of this group will now be able to access this environment.
Step 3: Set Up Environment Routing Rules
Environment Routing Rules determine where new users land when they first access Power Platform.
To configure:
- In Power Platform Admin Center, go to Settings → Tenant Settings → Environment Routing
- You’ll see a list of routing rules, typically in priority order
- Add or edit rules to define how new users are routed based on criteria like:
- Their Azure AD group membership
- Their geographic region
- The type of environment (default, developer, production)
Example rule:
| Priority | Condition | Route to Environment |
|---|---|---|
| 1 | User in “PowerPlatform-Dev-Users” | Development |
| 2 | User in “PowerPlatform-Testers” | Test |
| 3 | All others | Default |
Once saved, Power Platform will use these routing rules whenever a new user signs in.
🧠 Example Scenario
Let’s say your organization has:
- Development → Linked to Security Group:
DevTeam - Test/UAT → Linked to Security Group:
QATeam - Production → Linked to Security Group:
EndUsers
When a new user logs in:
- The system checks if they belong to any of the groups.
- If they’re in
DevTeam, they are routed to the Development environment. - If not, it checks the next rule — maybe
QATeam. - If no match, they fall back to the Default environment.
This ensures that users only see what’s intended for them — and don’t clutter your tenant with unnecessary access.
🧰 Best Practices
✅ Use separate security groups for each environment
Helps with auditing and minimizes accidental access.
✅ Automate group membership
Use Microsoft Entra dynamic groups or Power Automate flows to auto-assign users based on roles or departments.
✅ Review routing rules regularly
As your org grows, new business units or environments might need dedicated routing rules.
✅ Don’t use the Default Environment for Production
The Default environment is shared by all licensed users; use dedicated production environments for live apps.
✅ Audit environment access
Periodically review who has access via Azure AD or PowerShell commands.
💡 PowerShell Tip: Check Environment Security Group
You can verify which security group is assigned using PowerShell:
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell
Add-PowerAppsAccount
Get-AdminPowerAppEnvironment | Select DisplayName, EnvironmentType, SecurityGroupId
🚀 Summary
Environment Routing + Security Groups = Controlled, Secure, and Automated Environment Access.
It helps Power Platform administrators:
- Manage multi-environment setups efficiently
- Maintain data isolation
- Simplify onboarding for new users
- Ensure compliance and governance
By implementing proper routing rules and security groups, you can turn environment access from a chaotic manual process into a seamless, automated system aligned with organizational security policies.
Hope it helps.
