CRM Audio

Power Pages is having a surprisingly good run. In this episode we dig into server-side logic debugging, the new client-side API, and why both feel about 15 years late yet still genuinely useful.
We also look at Omar Zaarour's business-rules tool, Danish Naglekar's cross-platform Power Platform Toolbox, and George's Entra ID auto-clicker for making one of the most annoying prompts quietly disappear.
References
Power Pages Server Logic Debugging Guide | Microsoft Learn

Code-only connectors

Power Pages Client APIs Overview (preview) | Microsoft Learn

Omar Zaarour's T365 Power Pages Business Rules

Danish Naglikar's Power Platform ToolBox | Modern desktop companion - PPTB

Entra ID Auto Confirm browser extension

Get in touch
[email protected]
Nick Hayduk @Engineered_Code
George Doubinski @georgedude

15 years too late but it's finally here: server-side logic in Power Pages.
What does it change in practice?
Unlike Azure Functions, it's just another Power Pages asset that can be added to Power Platform ALM.
Perfect for anything that is logic-lite/secret-heavy. Think payments and integrations that need secrets. Server-side logic avoids awkward workarounds using plugins, Power Automate, etc. just to keep keys safe.
Re-use your Javascript skills though it's not lift-n-shift from the client-side exercise. Just couple new objects to learn: HTTP client for external calls and a Dataverse object for CRUD operations.
There are plenty of scenarios where client-side Web API is better, like interaction with external services requiring callbacks, for example.
As Nick succulently summed it up:
It doesn't make anything possible we couldn't do before. It just makes doing a lot of things we did do before a lot easier.
References
Power Pages server logic overview (preview) | Microsoft Learn
Get in touch
[email protected]
Nick Hayduk @Engineered_Code
George Doubinski @georgedude

It's one of the biggest Power Pages updates we've seen in years, and we're excited about what it means for the future.
We talk about the newest Power Platform release and its biggest change — bringing Power Pages security together with Dataverse roles. We explain how web roles and contact records now work with system users, making Power Pages security act more like Dataverse.
We share what we learned from testing the private preview, including how permissions, ownership, and auditing work now, and what the new "C2" users are. We also wonder what this means for performance, licensing, and people building their own portals.
References
Overview of Power Pages 2025 release wave 2 | Microsoft Learn
Unify Power Pages authorization by merging web role with Dataverse security role | Microsoft Learn
Get in touch
[email protected]
Nick Hayduk @Engineered_Code
George Doubinski @georgedude

In this episode, we take a close look at the history of security issues in Power Pages. We start with the early days — when simple misconfigurations like unchecked table permissions and enabled OData feeds led to major data exposures. These weren't bugs, but they showed how easy it was to set things up the wrong way. We talk about how Microsoft responded and what lessons we've learned about secure defaults and clear documentation.
We then move on to more serious vulnerabilities introduced by newer features like the Web API. We explain how some of these flaws allowed access to restricted data using filters and sort clauses, and how those issues were eventually patched. These were real product-level bugs, and some were even exploited in the wild.
We also share our thoughts on external authentication providers like Google, and the risks that come with delegating authentication — including phishing techniques that can bypass protections. Finally, we reflect on how Power Pages compares to platforms like WordPress, especially when it comes to architecture and the potential for plugin-related vulnerabilities. Despite recent issues, we think the original design of Power Pages deserves credit for holding up well over time.
References
Power Pages security | Microsoft Learn
Tip #1407: How to secure Power Apps portal from making the news - Power Platform & Dynamics CRM Tip Of The Day
Engineered Code - Blog - Power Pages: Another "Leak"
https://thehackernews.com/2025/01/severe-security-flaws-patched-in.html

https://www.bleepingcomputer.com/news/security/microsoft-fixes-power-pages-zero-day-bug-exploited-in-attacks/

https://www.cnn.com/2021/08/24/tech/data-leak-microsoft-upguard/index.html

 
https://www.upguard.com/breaches/power-apps

Get in touch
[email protected]
Nick Hayduk @Engineered_Code
George Doubinski @georgedude

Continuing from the wishlist, in this episode we focus on underused features in Power Pages - capabilities that are built into the platform but often overlooked during development.
We discuss features such as redirects, shortcuts, site markers, and web link sets, highlighting where they fit and why they're still relevant, especially for structured navigation and content management. We also cover content snippets, explaining how they support multilingual content, reduce duplication, and allow non-developers to manage content without modifying code.
Additional topics:
Leveraging form and list metadata instead of custom JavaScript

Choosing fetchXML in liquid over Web API for secure, server-side queries

The challenges and potential of conditional multistep forms

The role of site settings in fine-tuning authentication and behavior

A lot of Power Pages features are often overlooked. Hopefully you get some extra ammunition to improve structure, usability, and long-term maintainability across projects.
Get in touch
[email protected]
Nick Hayduk @Engineered_Code
George Doubinski @georgedude