CRM Audio

Hide your dirty laundry on the server-side

15 years too late but it's finally here: server-side logic in Power Pages. What does it change in practice? Unlike Azure Functions, it's just another Power Pages asset that can be added to Power Platform ALM. Perfect for anything that is logic-lite/secret-heavy. Think payments and integrations that need secrets. Server-side logic avoids awkward workarounds using plugins, Power Automate, etc. just to keep keys safe. Re-use your Javascript skills though it's not lift-n-shift from the client-side exercise. Just couple new objects to learn: HTTP client for external calls and a Dataverse object for CRUD operations. There are plenty of scenarios where client-side Web API is better, like interaction with external services requiring callbacks, for example. As Nick succulently summed it up: It doesn't make anything possible we couldn't do before. It just makes doing a lot of things we did do before a lot easier. References Power Pages server logic overview (preview) | Microsoft Learn Get in touch voice@crm.audio Nick Hayduk @Engineered_Code George Doubinski @georgedude

Contacts Are Users Too - Now with Dataverse Privileges

It’s one of the biggest Power Pages updates we’ve seen in years, and we’re excited about what it means for the future. We talk about the newest Power Platform release and its biggest change — bringing Power Pages security together with Dataverse roles. We explain how web roles and contact records now work with system users, making Power Pages security act more like Dataverse. We share what we learned from testing the private preview, including how permissions, ownership, and auditing work now, and what the new “C2” users are. We also wonder what this means for performance, licensing, and people building their own portals. References Overview of Power Pages 2025 release wave 2 | Microsoft Learn Unify Power Pages authorization by merging web role with Dataverse security role | Microsoft Learn Get in touch voice@crm.audio Nick Hayduk @Engineered_Code George Doubinski @georgedude

End Of The World As We Know It: Security Leaks In Power Pages

In this episode, we take a close look at the history of security issues in Power Pages. We start with the early days — when simple misconfigurations like unchecked table permissions and enabled OData feeds led to major data exposures. These weren’t bugs, but they showed how easy it was to set things up the wrong way. We talk about how Microsoft responded and what lessons we’ve learned about secure defaults and clear documentation. We then move on to more serious vulnerabilities introduced by newer features like the Web API. We explain how some of these flaws allowed access to restricted data using filters and sort clauses, and how those issues were eventually patched. These were real product-level bugs, and some were even exploited in the wild. We also share our thoughts on external authentication providers like Google, and the risks that come with delegating authentication — including phishing techniques that can bypass protections. Finally, we reflect on how Power Pages compares to platforms like WordPress, especially when it comes to architecture and the potential for plugin-related vulnerabilities. Despite recent issues, we think the original design of Power Pages deserves credit for holding up well over time. References Power Pages security | Microsoft Learn Tip #1407: How to secure Power Apps portal from making the news - Power Platform & Dynamics CRM Tip Of The Day Engineered Code - Blog - Power Pages: Another “Leak” https://thehackernews.com/2025/01/severe-security-flaws-patched-in.html https://www.bleepingcomputer.com/news/security/microsoft-fixes-power-pages-zero-day-bug-exploited-in-attacks/ https://www.cnn.com/2021/08/24/tech/data-leak-microsoft-upguard/index.html   https://www.upguard.com/breaches/power-apps Get in touch voice@crm.audio Nick Hayduk @Engineered_Code George Doubinski @georgedude

Hidden In Plain Site: Underused Features in Power Pages

Continuing from the wishlist, in this episode we focus on underused features in Power Pages - capabilities that are built into the platform but often overlooked during development. We discuss features such as redirects, shortcuts, site markers, and web link sets, highlighting where they fit and why they’re still relevant, especially for structured navigation and content management. We also cover content snippets, explaining how they support multilingual content, reduce duplication, and allow non-developers to manage content without modifying code. Additional topics: Leveraging form and list metadata instead of custom JavaScript Choosing fetchXML in liquid over Web API for secure, server-side queries The challenges and potential of conditional multistep forms The role of site settings in fine-tuning authentication and behavior A lot of Power Pages features are often overlooked. Hopefully you get some extra ammunition to improve structure, usability, and long-term maintainability across projects. Get in touch voice@crm.audio Nick Hayduk @Engineered_Code George Doubinski @georgedude

Cache Me If You Can: The Power Pages Wishlist

In this episode, we deliver on their promise from the previous show — a wishlist of features they’d love to see in Power Pages (and none of them are AI). It’s a mix of practical frustrations from real-world projects and some wild ideas for future innovation. What did we talk about? George’s standing desk automation project — powered by Python, Bluetooth, and (eventually) Power Platform. Imagine your desk going up automatically before every meeting! Top Power Pages wishlist items: API to clear the cache — long-requested, simple sounding, yet still missing. Modern Forms — it’s time to modernize the end-user experience beyond Bootstrap upgrades. Support for Quick View and Quick Create forms — why only Main forms? Multi-step form improvements — allow skipping between steps, especially when there are no conditions. Bring back Front-Side Editing — content editing without admin rights is a must for real CMS scenarios. Power Automate integration in forms and lists — run flows like classic workflows directly from UI. Framework agnostic design — let’s dream big: support Tailwind, Foundation, or other CSS frameworks beyond Bootstrap.   What's next? How about a tour of Power Pages features that already exist — but almost nobody uses. Credits Cover image by chatGPT (inspired by terrible prompts) References rhyst/linak-controller: A Python script to control Linak standing desks Get in touch voice@crm.audio Nick Hayduk @Engineered_Code George Doubinski @georgedude