Set up virtual network support for Power Platform

2025-08-01

Azure virtual network support for Power Platform lets you integrate Power Platform and Dataverse components with cloud services or services hosted inside your private enterprise network without exposing them to the public internet. This article explains how to set up virtual network support in your Power Platform environments.

Prerequisites

Note

To enable virtual network support for Power Platform, environments must be Managed Environments.

Review your Power Platform resources: Check your apps, flows, and plug-in code to ensure they connect over your virtual network. They shouldn't call endpoints over the public internet. If your components need to connect to public endpoints, ensure your firewall or network configuration lets such calls. Learn more in Considerations to enable virtual network support for Power Platform environment and in the FAQ.
Prepare your tenant and set up permissions:
- Azure subscription: Make sure you have an Azure subscription where virtual network, subnet, and enterprise policy resources are created.
- Assign roles: Make sure you have the required roles to create resources and enterprise policy.
  - In the Azure portal, assign the Azure network administrator role, such as the network contributor role or an equivalent custom role.
  - In the Microsoft Entra admin center, assign the Power Platform administrator role.
Prepare to use PowerShell:
- Use Windows PowerShell or Install PowerShell Core.
- Clone the GitHub repository to get the PowerShell scripts for enterprise policies.
- Run the "install modules and setup subscription" scripts.

The following diagram shows the functions of the roles in the setup process for virtual network support in a Power Platform environment.

Set up Virtual Network support

Set up the virtual network and subnets.
Create the enterprise policy.
Configure your Power Platform environment.

Set up the virtual network and subnets

Note

Power Platform isn't supported in the Central US region. Review the list of supported regions.

Create virtual networks in Azure regions associated with your Power Platform environment. For example, if your Power Platform environment region is United States, your virtual networks should be created in the eastus and westus Azure regions. For a mapping of environment region to Azure regions, review the list of supported regions.
Important
- If there are two or more supported regions for the geo, such as the United States with eastus and westus, two virtual networks in different regions are required to create the enterprise policy for business continuity and disaster recovery or failover scenarios.
- Be sure that the subnet you create has been appropriately sized according to Estimating subnet size for Power Platform environments.
You can reuse existing virtual networks, if desired. Subnets can't be reused in multiple enterprise policies.
Create a subnet in each of your virtual networks. Review the number of IP addresses that are allocated to each subnet and consider the load of the environment. Both subnets must have the same number of available IP addresses.
Important
- If you plan to use the same, delegated subnet for multiple Power Platform environments, you may need a larger IP address block than /24. Review subnet sizing guidance in Estimating subnet size for Power Platform environments.
- To allow public internet access for Power Platform components, create an Azure NAT gateway for the subnets.
Ensure your Azure subscription is registered for the Microsoft.PowerPlatform resource provider by running the SetupSubscriptionForPowerPlatform.ps1 script.
Ensure your subnets don't have any resources connected to them. Delegate each subnet to Microsoft.PowerPlatform/enterprisePolicies by running the SetupVnetForSubnetDelegation.ps1 script for each subnet. If you don't want to use PowerShell, you can delegate the subnet while creating the virtual network in Azure portal to the service Microsoft.PowerPlatform/enterprisePolicies.

Learn more at Add or remove a subnet delegation.
After you have created paired virtual networks, you can view them in your Azure resource group, as shown in the following image.

Create the enterprise policy

Option 1: Use the Azure ARM template

Ensure you have captured the necessary details, such as the following information, from the virtual networks you have created.
- VnetOneSubnetName
- VnetOneResourceId
- VnetTwoSubnetName
- VnetTwoResourceId

Deploy a custom template in Azure portal. Select the Build your own template in the editor link and copy and paste the following JSON script.

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "policyName": {
            "type": "String",
            "metadata": {
                "description": "The name of the Enterprise Policy."
            }
        },
        "powerplatformEnvironmentRegion": {
            "type": "String",
            "metadata": {
                "description": "Geo of the PowerPlatform environment."
            }
        },
        "vNetOneSubnetName": {
            "type": "String"
        },
        "vNetOneResourceId": {
            "type": "String"
        },
        "vNetTwoSubnetName": {
            "defaultValue": "",
            "type": "String"
        },
        "vNetTwoResourceId": {
            "defaultValue": "",
            "type": "String"
        }
    },
    "variables": {
        "vNetOne": {
            "id": "[parameters('vNetOneResourceId')]",
            "subnet": {
                "name": "[parameters('vNetOneSubnetName')]"
            }
        },
        "vNetTwo": {
            "id": "[parameters('vNetTwoResourceId')]",
            "subnet": {
                "name": "[parameters('vNnetTwoSubnetName')]"
            }
        },
        "vNetTwoSupplied": "[and(not(empty(parameters('vNetTwoSubnetName'))), not(empty(parameters('vNetTwoResourceId'))))]"
    },
    "resources": [
        {
            "type": "Microsoft.PowerPlatform/enterprisePolicies",
            "apiVersion": "2020-10-30",
            "name": "[parameters('policyName')]",
            "location": "[parameters('powerplatformEnvironmentRegion')]",
            "kind": "NetworkInjection",
            "properties": {
                "networkInjection": {
                    "virtualNetworks": "[if(variables('vNetTwoSupplied'), concat(array(variables('vNetOne')), array(variables('vNetTwo'))), array(variables('vNetOne')))]"
                }
            }
        }
    ]
}

Save the template and fill in the details to create the enterprise policy, which includes the following inforamtion:
- Policy name: Name of the enterprise policy that appears in the Power Platform admin center.
- Location: Select the location of the enterprise policy, corresponding with the Dataverse environment’s region:
  - unitedstates
  - southafrica
  - uk
  - japan
  - india
  - france
  - europe
  - germany
  - switzerland
  - canada
  - brazil
  - australia
  - asia
  - uae
  - korea
  - norway
  - singapore
  - sweden
- VnetOneSubnetName: Enter the name of the subnet from the first virtual network.
- VnetOneResourceId: Enter the resource ID from the first virtual network.
- VnetTwoSubnetName: Enter the name of the subnet from the second virtual network.
- VnetTwoResourceId: Enter the resource ID from the second virtual network. It should match the strings from Json script, for example: vNetOneResourceId, vNetOneSubnetName
Select Review + create to finalize the enterprise policy.

Option 2: Use PowerShell

Run the CreateSubnetInjectionEnterprisePolicy.ps1 script, using the virtual networks and subnets you delegated. Remember two virtual networks in different regions are required for geos that support two or more regions.
Important

If you wish to delete the virtual network or subnet, or are getting errors like InUseSubnetCannotBeDeleted and SubnetMissingRequiredDelegation, you must delete the enterprise policy if it exists. You can delete the enterprise policy with the following command.
```
Remove-AzResource -ResourceId $policyArmId -Force
```
Various PowerShell scripts are available to get the enterprise policy for the ARM resource ID.
Grant read access for the enterprise policy to users with the Power Platform administrator role.

Configure your Power Platform environment

Prerequisites

In the following procedures, you assign your environment to an enterprise policy. You're environment must be a managed environment to assign an enterprise policy to it.

Option 1: Use the Power Platform admin center

Sign in to the Power Platform admin center.
In the navigation pane, select Security.
In the Security pane, select Data and privacy.
In the Data protection and privacy page, select Azure Virtual Network policies. The Virtual Network policies pane is displayed.
Select the environment you want to assign to the enterprise policy, select the policy, and select Save. Now the enterprise policy is linked to the environment.

Option 2: Use PowerShell

Run the NewSubnetInjection.ps1 script to apply the enterprise policy to your environment.
If you want to remove the enterprise policy from the environment, you can run the RevertSubnetInjection.ps1 script.

Validate the connection

New admin center
Classic admin center

Sign in to the Power Platform admin center.
In the navigation pane, select Manage.
In the Manage pane, select Environments.
On the Environments page, select an environment.
In the command bar, select History.
Verify that the Status shows Succeeded.