samt-source/governance-first-authorization-architecture-for-microsoft-power-pages: Membership-Driven Authorization Architecture for Microsoft Power Pages

This publication presents a membership-driven authorization architecture for Microsoft Power Pages applications, designed for government and public-sector digital services.

The architecture replaces the default “authentication implies access” model with an explicit authorization framework based on formal access approval, application-scoped permissions, and auditable membership records. Authorization decisions are externalized from the Dataverse Contact identity into a dedicated Membership layer, enabling multi-organization access, least-privilege enforcement, and traceable access lifecycle management without modifying core identity schemas.

The design introduces a runtime authorization intercept pattern that evaluates approved memberships before application access is granted, while leveraging native Power Pages Web Roles strictly for enforcement. Administrative governance is centralized through a model-driven application with approval workflows, automated provisioning, and immediate revocation capabilities.

This architecture addresses common access-control limitations encountered in Power Pages deployments within regulated environments such as government, healthcare, and public-sector programs, where compliance, explicit approval boundaries, and auditability are required.

The work contributes a reusable governance-first authorization pattern for scalable, compliant Microsoft Power Pages implementations.