October Update

Following last month’s Power Platform update, we’re back with the latest highlights from the Microsoft Power Platform blog.

This month’s theme is all about security. Microsoft has rolled out two important updates for Power Pages, both designed to help organisations strengthen their protection against threats and build more secure, trusted experiences for users.

As before, these summaries share what’s new, why it matters and our take on how the community can get the most value from these changes.

Power Pages: New Phishing Detection Security Agent

Update: As the Power Platform is increasingly used to host external and public-facing portals, Microsoft has introduced a Phishing Detection Security Agent for Power Pages. This new capability is designed to proactively identify and stop malicious activity on live sites, making it a very welcome addition to the platform.

Source: Microsoft Power Platform Blog

What it is: The new agent continuously scans live Power Pages sites to detect suspicious or potentially harmful behaviour, helping prevent phishing attempts before they impact users.

What it does:

Automatically suspends confirmed phishing sites to protect users

Notifies tenant admins via email, Teams and the Power Platform Admin Center (PPAC) whenever action is taken

Includes built-in dispute resolution, allowing admins to appeal if a legitimate site is flagged

Why it matters:

Adds another layer of secure by default protection for organisations hosting public portals

Reduces reliance on external phishing reports, speeding up response times

Builds greater trust and resilience in Power Pages as an enterprise-grade platform for customer and partner-facing solutions

Our view: This is a welcome move towards proactive security in the Power Platform ecosystem. Power Pages has become central to many organisations’ external user experiences and this new agent reflects a more mature, cloud-scale approach to threat management.

We encourage admins to make sure notification settings are active across email, Teams and PPAC, and to brief makers on secure build practices so potential phishing indicators are avoided from the outset.

Power Pages: CodeQL Scan Enhances Site Security

Update: Following on from the Phishing Detection Security Agent, Microsoft has added another valuable layer to Power Pages security with the integration of CodeQL Scan.

Source: Microsoft Power Platform Blog

What it is: As web applications become central to how organisations operate, securing every line of custom code is more important than ever. CodeQL Scan brings static code analysis directly into the Power Pages development workflow, helping developers spot potential vulnerabilities before sites go live.

Why CodeQL matters: Custom HTML and JavaScript often power rich, dynamic experiences but can also introduce security risks such as cross-site scripting or injection attacks. CodeQL, a semantic code analysis engine from GitHub, scans site codebases to detect these vulnerabilities early.

How it works:

Available in VS Code Desktop for locally downloaded Power Pages sites

Requires the Power Platform Tools extension in VS Code

Runs from the Power Pages Actions view, where developers can initiate a CodeQL screening

Scans HTML and JavaScript for insecure patterns or deprecated code

Surfaces clear, actionable insights for remediation before publishing changes

Why it matters:

Encourages a shift-left approach to security, finding issues during development rather than after deployment

Improves overall code quality and maintainability

Strengthens compliance readiness for audits and certifications

Our view: This is another positive and practical enhancement for Power Pages. CodeQL Scan helps developers build secure-by-design experiences and reflects the increasing maturity of the Power Platform’s developer toolset. For teams already using Visual Studio Code, it is an easy win that embeds good security hygiene directly into the build process.

Final thoughts

Security has clearly been the focus this month, with both updates reinforcing Microsoft’s commitment to keeping Power Pages safe and resilient as adoption grows.

The Phishing Detection Security Agent protects users and organisations by preventing malicious sites from being hosted.

The CodeQL Scan empowers developers to find and fix vulnerabilities earlier in the build cycle.

Together, these features underline how the Power Platform continues to evolve into a more enterprise-ready environment that balances innovation with responsibility.

At MPowerUp, we see this as another step towards helping organisations and developers build confidently on a platform that takes security seriously.

We’d love to hear from you. How are you approaching Power Pages security within your organisation, and will you be adopting these new capabilities?