CRM Audio

It's one of the biggest Power Pages updates we've seen in years, and we're excited about what it means for the future.

We talk about the newest Power Platform release and its biggest change — bringing Power Pages security together with Dataverse roles. We explain how web roles and contact records now work with system users, making Power Pages security act more like Dataverse.

We share what we learned from testing the private preview, including how permissions, ownership, and auditing work now, and what the new "C2" users are. We also wonder what this means for performance, licensing, and people building their own portals.

In this episode, we take a close look at the history of security issues in Power Pages. We start with the early days — when simple misconfigurations like unchecked table permissions and enabled OData feeds led to major data exposures. These weren't bugs, but they showed how easy it was to set things up the wrong way. We talk about how Microsoft responded and what lessons we've learned about secure defaults and clear documentation.

We then move on to more serious vulnerabilities introduced by newer features like the Web API. We explain how some of these flaws allowed access to restricted data using filters and sort clauses, and how those issues were eventually patched. These were real product-level bugs, and some were even exploited in the wild.

We also share our thoughts on external authentication providers like Google, and the risks that come with delegating authentication — including phishing techniques that can bypass protections. Finally, we reflect on how Power Pages compares to platforms like WordPress, especially when it comes to architecture and the potential for plugin-related vulnerabilities. Despite recent issues, we think the original design of Power Pages deserves credit for holding up well over time.

Continuing from the wishlist, in this episode we focus on underused features in Power Pages - capabilities that are built into the platform but often overlooked during development.

We discuss features such as redirects, shortcuts, site markers, and web link sets, highlighting where they fit and why they're still relevant, especially for structured navigation and content management. We also cover content snippets, explaining how they support multilingual content, reduce duplication, and allow non-developers to manage content without modifying code.

Additional topics:

• Leveraging form and list metadata instead of custom JavaScript

• Choosing fetchXML in liquid over Web API for secure, server-side queries

• The challenges and potential of conditional multistep forms

• The role of site settings in fine-tuning authentication and behavior

A lot of Power Pages features are often overlooked. Hopefully you get some extra ammunition to improve structure, usability, and long-term maintainability across projects.

In this episode, we deliver on their promise from the previous show — a wishlist of features they'd love to see in Power Pages (and none of them are AI). It's a mix of practical frustrations from real-world projects and some wild ideas for future innovation. What did we talk about?

• George's standing desk automation project — powered by Python, Bluetooth, and (eventually) Power Platform. Imagine your desk going up automatically before every meeting!

• Top Power Pages wishlist items:

  • API to clear the cache — long-requested, simple sounding, yet still missing.

  • Modern Forms — it's time to modernize the end-user experience beyond Bootstrap upgrades.

  • Support for Quick View and Quick Create forms — why only Main forms?

  • Multi-step form improvements — allow skipping between steps, especially when there are no conditions.

  • Bring back Front-Side Editing — content editing without admin rights is a must for real CMS scenarios.

  • Power Automate integration in forms and lists — run flows like classic workflows directly from UI.

  • Framework agnostic design — let's dream big: support Tailwind, Foundation, or other CSS frameworks beyond Bootstrap.

What's next? How about a tour of Power Pages features that already exist — but almost nobody uses.

Cover image by chatGPT (inspired by terrible prompts)

In the first episode of 2025, Nick and George break down Release Wave 1 2025 for Power Pages, separating real improvements from underwhelming updates. AI features take center stage, but do they actually add value? Discussion covers AI-assisted forms, web agents, and natural language queries, questioning their usefulness in real-world applications.

Modern lists get long-awaited updates, including JavaScript event support and metadata filters, finally closing gaps with classic lists. The ongoing file upload saga resurfaces, and the new virus scanning feature raises questions about effectiveness. A streamlined Microsoft Entra ID setup wizard promises easier authentication setup, but handling failed logins remains tricky.

A surprising security threat in social logins also comes up — cross-IdP impersonation —where external authenticator can let attackers register an account with someone else's corporate email.

With event portals moving from outbound marketing to Power Pages, the clock ticks toward a July 2025 deadline for migration. Anyone still using the old Angular-based event sites needs to start planning now.

Want to know what's missing from this release? A wishlist of features Power Pages actually needs is coming next time. Don't miss it!

Cover image by chatGPT (inspired by terrible prompts)