Now Reading: The Hybrid Mandate: Python in Power Platform
-
01
The Hybrid Mandate: Python in Power Platform
1
00:00:00,000 –> 00:00:01,920
Most organizations treat the power platform
2
00:00:01,920 –> 00:00:03,920
like a harmless productivity toy.
3
00:00:03,920 –> 00:00:06,120
Drag some boxes, automate a few emails,
4
00:00:06,120 –> 00:00:08,080
call it digital transformation.
5
00:00:08,080 –> 00:00:11,440
Then it scales, and the same logic that felt clean at 10 runs
6
00:00:11,440 –> 00:00:13,800
a day becomes a pile of exceptions at 10,000.
7
00:00:13,800 –> 00:00:15,040
That’s not success.
8
00:00:15,040 –> 00:00:16,600
That’s unpriced complexity.
9
00:00:16,600 –> 00:00:19,760
The hybrid mandate is simple.
10
00:00:19,760 –> 00:00:21,680
Power platform is the orchestration tier.
11
00:00:21,680 –> 00:00:23,080
Python is the execution tier.
12
00:00:23,080 –> 00:00:24,320
Azure is the governance tier,
13
00:00:24,320 –> 00:00:26,200
separate coordination from computation,
14
00:00:26,200 –> 00:00:28,800
and rapid all in identity, network boundaries, logging,
15
00:00:28,800 –> 00:00:32,160
and policy so it stays governable after the hype dies.
16
00:00:32,160 –> 00:00:33,880
The foundational misunderstanding.
17
00:00:33,880 –> 00:00:36,520
Power platform as a tool, not a control plane.
18
00:00:36,520 –> 00:00:39,000
The foundational misunderstanding is that power platform
19
00:00:39,000 –> 00:00:41,480
is a tool in the same way Excel is a tool.
20
00:00:41,480 –> 00:00:43,920
A thing people use, a thing that sits at the edge.
21
00:00:43,920 –> 00:00:44,880
Something optional.
22
00:00:44,880 –> 00:00:46,480
That is not what you’re deploying.
23
00:00:46,480 –> 00:00:50,200
In architectural terms, power platform is a control plane.
24
00:00:50,200 –> 00:00:51,960
A distributed decision engine
25
00:00:51,960 –> 00:00:55,680
that coordinates data movement, actions, approvals, identities,
26
00:00:55,680 –> 00:00:57,720
and connector calls across your tenant.
27
00:00:57,720 –> 00:00:59,120
It doesn’t just automate work.
28
00:00:59,120 –> 00:01:01,360
It defines how work is allowed to happen
29
00:01:01,360 –> 00:01:02,920
and who is allowed to trigger it
30
00:01:02,920 –> 00:01:05,080
and which data is allowed to cross which boundary.
31
00:01:05,080 –> 00:01:07,400
That distinction matters because the moment you treat
32
00:01:07,400 –> 00:01:09,880
a control plane like a toy, you stop designing it.
33
00:01:09,880 –> 00:01:12,240
And when you stop designing it, the system designs itself.
34
00:01:12,240 –> 00:01:13,240
It always does.
35
00:01:13,240 –> 00:01:15,720
When people say, “Power Automate is just workflows.”
36
00:01:15,720 –> 00:01:17,160
What they’re really saying is,
37
00:01:17,160 –> 00:01:20,520
“I don’t want to own the consequences of a workflow runtime
38
00:01:20,520 –> 00:01:22,960
that can call a thousand external systems
39
00:01:22,960 –> 00:01:26,400
with the privileges of whoever clicked create connection.”
40
00:01:27,440 –> 00:01:29,920
The platform is not fragile, your assumptions are.
41
00:01:29,920 –> 00:01:31,720
Here’s where decisions actually happen.
42
00:01:31,720 –> 00:01:33,720
Identity determines what a flow can do,
43
00:01:33,720 –> 00:01:35,640
connectors determine what a flow can reach,
44
00:01:35,640 –> 00:01:37,520
environments determine where it can be built
45
00:01:37,520 –> 00:01:38,640
and who can see it.
46
00:01:38,640 –> 00:01:41,000
DLP determines which connectors can be paired,
47
00:01:41,000 –> 00:01:43,040
solutions and ALM determine whether the thing
48
00:01:43,040 –> 00:01:45,280
running in production is an artifact with intent
49
00:01:45,280 –> 00:01:47,600
or just a screenshot of last month’s prototype.
50
00:01:47,600 –> 00:01:50,000
Most organizations focus on the visible part,
51
00:01:50,000 –> 00:01:52,480
the canvas, the steps, the triggers.
52
00:01:52,480 –> 00:01:53,640
That’s the UI.
53
00:01:53,640 –> 00:01:55,760
The real architecture is the graph behind it.
54
00:01:55,760 –> 00:01:57,600
Entry Identity’s delegated permissions,
55
00:01:57,600 –> 00:01:59,600
connection references, environment roles,
56
00:01:59,600 –> 00:02:01,640
dataverse security and policy objects
57
00:02:01,640 –> 00:02:04,240
that live in admin portals nobody wants to open.
58
00:02:04,240 –> 00:02:05,240
So what goes wrong?
59
00:02:05,240 –> 00:02:06,120
Entropy.
60
00:02:06,120 –> 00:02:09,040
Because low-code teams under pressure don’t build systems.
61
00:02:09,040 –> 00:02:09,920
They build exceptions.
62
00:02:09,920 –> 00:02:12,840
Just this one connector, just this one bypassed it,
63
00:02:12,840 –> 00:02:14,800
just put the credential in a variable.
64
00:02:14,800 –> 00:02:16,200
Just add a condition.
65
00:02:16,200 –> 00:02:17,360
Each one feels small.
66
00:02:17,360 –> 00:02:18,600
None of them is revisited.
67
00:02:18,600 –> 00:02:21,160
Over time, the exceptions become the architecture
68
00:02:21,160 –> 00:02:23,120
and once exceptions become the architecture,
69
00:02:23,120 –> 00:02:26,040
you’re no longer operating a deterministic security model.
70
00:02:26,040 –> 00:02:27,640
You’re operating a probabilistic one.
71
00:02:27,640 –> 00:02:29,640
The system still runs, but you can’t predict
72
00:02:29,640 –> 00:02:31,160
its behavior underdrift.
73
00:02:31,160 –> 00:02:33,040
When people leave, when tokens expire,
74
00:02:33,040 –> 00:02:35,760
when licensing changes, when a connector update breaks
75
00:02:35,760 –> 00:02:37,760
a payload, when throttles kick in,
76
00:02:37,760 –> 00:02:40,400
when a maker copies a flow to fix it quickly
77
00:02:40,400 –> 00:02:43,080
and accidentally creates a parallel universe.
78
00:02:43,080 –> 00:02:46,200
This is why it works is not the same as it is governable.
79
00:02:46,200 –> 00:02:48,240
A flow can work while being unreviewable.
80
00:02:48,240 –> 00:02:50,560
It can work while having no owner you can contact.
81
00:02:50,560 –> 00:02:51,960
It can work while being impossible
82
00:02:51,960 –> 00:02:53,440
to reproduce in another environment.
83
00:02:53,440 –> 00:02:55,920
It can work while quietly moving data from dataverse
84
00:02:55,920 –> 00:02:57,280
to a consumer connector.
85
00:02:57,280 –> 00:03:00,400
Because somebody built it in the default environment at 2am.
86
00:03:00,400 –> 00:03:02,840
It can work while your incident response team
87
00:03:02,840 –> 00:03:05,800
has no correlated logs and no idea whether the last run
88
00:03:05,800 –> 00:03:08,040
failed because of data, permissions, throttling
89
00:03:08,040 –> 00:03:10,000
or a transient back end issue.
90
00:03:10,000 –> 00:03:10,960
That’s the comfort trap.
91
00:03:10,960 –> 00:03:12,280
Success hides failure modes.
92
00:03:12,280 –> 00:03:13,760
Now add Python to the story.
93
00:03:13,760 –> 00:03:17,400
The naive question is, can power automate call Python?
94
00:03:17,400 –> 00:03:18,080
Sure.
95
00:03:18,080 –> 00:03:19,840
People already do it with file watches,
96
00:03:19,840 –> 00:03:22,800
one drive polling, local scripts, random service accounts
97
00:03:22,800 –> 00:03:24,960
and whatever laptop happens to be online.
98
00:03:24,960 –> 00:03:27,040
But the real question is, where does Python belong
99
00:03:27,040 –> 00:03:28,640
and what does it do to your control plane?
100
00:03:28,640 –> 00:03:30,520
Because Python isn’t just code.
101
00:03:30,520 –> 00:03:33,480
It’s an execution environment, packages, dependencies,
102
00:03:33,480 –> 00:03:36,480
runtime patching, outbound calls, secret handling
103
00:03:36,480 –> 00:03:37,920
and operational ownership.
104
00:03:37,920 –> 00:03:40,200
If you bolt it onto power platform without boundaries,
105
00:03:40,200 –> 00:03:41,800
you don’t get a hybrid architecture.
106
00:03:41,800 –> 00:03:44,800
You get a shadow runtime with undefined responsibility.
107
00:03:44,800 –> 00:03:46,240
That is how governance disappears,
108
00:03:46,240 –> 00:03:48,320
not with malice but with convenience.
109
00:03:48,320 –> 00:03:51,600
So the right framing is this, power platform orchestrates.
110
00:03:51,600 –> 00:03:54,240
It roots, approves, schedules, notifies
111
00:03:54,240 –> 00:03:55,920
and handles human touch points.
112
00:03:55,920 –> 00:03:59,920
Python executes, it transforms, validates, deduplicates, scores
113
00:03:59,920 –> 00:04:01,640
and computes in a deterministic way
114
00:04:01,640 –> 00:04:03,680
that doesn’t belong inside a flow designer.
115
00:04:03,680 –> 00:04:06,360
As your governs, it provides the enforcement layer.
116
00:04:06,360 –> 00:04:09,440
Identity primitives, network containment, secrets,
117
00:04:09,440 –> 00:04:13,080
observability, policy and life cycle control.
118
00:04:13,080 –> 00:04:15,240
Treat power platform as a control plane
119
00:04:15,240 –> 00:04:17,120
and you start asking better questions.
120
00:04:17,120 –> 00:04:18,280
Who is the principal?
121
00:04:18,280 –> 00:04:20,440
Which identity is calling, which service?
122
00:04:20,440 –> 00:04:21,560
What is the network path?
123
00:04:21,560 –> 00:04:22,520
Where do secrets live?
124
00:04:22,520 –> 00:04:24,280
What does internal mean?
125
00:04:24,280 –> 00:04:25,040
Where are the logs?
126
00:04:25,040 –> 00:04:27,360
And can they be correlated across tiers?
127
00:04:27,360 –> 00:04:29,960
What is the contract between orchestration and execution?
128
00:04:29,960 –> 00:04:31,920
What happens when this scales by 10 times?
129
00:04:31,920 –> 00:04:33,480
Most people never ask those questions
130
00:04:33,480 –> 00:04:34,720
because the first flow works.
131
00:04:34,720 –> 00:04:38,000
Then the second one works, then you have 50, then you have 500,
132
00:04:38,000 –> 00:04:40,760
then the audit shows up and everyone suddenly discovers
133
00:04:40,760 –> 00:04:43,280
they’ve been running a distributed integration platform
134
00:04:43,280 –> 00:04:44,600
with no architecture.
135
00:04:44,600 –> 00:04:46,640
And this is the moment the low-code team
136
00:04:46,640 –> 00:04:48,760
hits the ceiling, not a technical ceiling,
137
00:04:48,760 –> 00:04:51,200
a governance ceiling, the low-code ceiling
138
00:04:51,200 –> 00:04:53,680
when flows become data pipelines by accident.
139
00:04:53,680 –> 00:04:55,440
This is where the story always turns.
140
00:04:55,440 –> 00:04:57,880
The first few flows are fine, send a team’s message,
141
00:04:57,880 –> 00:05:00,360
create a task, root an approval, write a row,
142
00:05:00,360 –> 00:05:02,480
then the business starts trusting the automation
143
00:05:02,480 –> 00:05:05,480
and trust turns into load and load turns into ambition.
144
00:05:05,480 –> 00:05:07,600
Suddenly the flow isn’t automation anymore.
145
00:05:07,600 –> 00:05:10,320
It’s an accidental data pipeline, it’s passing CSVs,
146
00:05:10,320 –> 00:05:12,480
it’s normalizing Excel tabs, it’s doing lookups
147
00:05:12,480 –> 00:05:14,960
across multiple systems, it’s joining data,
148
00:05:14,960 –> 00:05:16,320
it’s deduplicating,
149
00:05:16,320 –> 00:05:19,520
it’s trying to behave like an ETL tool, a rules engine
150
00:05:19,520 –> 00:05:21,840
and a batch processor, inside a designer
151
00:05:21,840 –> 00:05:24,840
that was built to coordinate steps, not compute.
152
00:05:24,840 –> 00:05:26,800
You can tell you’ve hit the ceiling by the symptoms
153
00:05:26,800 –> 00:05:29,000
and they’re consistent across tenants.
154
00:05:29,000 –> 00:05:30,120
There’s the spreadsheet phase,
155
00:05:30,120 –> 00:05:32,520
someone drops a file into one drive or share point,
156
00:05:32,520 –> 00:05:34,720
the flow reads rows and everything is fine
157
00:05:34,720 –> 00:05:36,040
until the file isn’t fine.
158
00:05:36,040 –> 00:05:38,960
Extra columns embedded commas, we are date formats.
159
00:05:38,960 –> 00:05:40,760
Empty rows that aren’t actually empty,
160
00:05:40,760 –> 00:05:42,800
a total line somebody forgot to delete.
161
00:05:42,800 –> 00:05:44,840
Now the flow has 10 string replacements
162
00:05:44,840 –> 00:05:47,280
and a set of conditions that look like a legal disclaimer.
163
00:05:47,280 –> 00:05:49,080
Then come the loops, nested loops,
164
00:05:49,080 –> 00:05:51,120
apply to each inside, apply to each,
165
00:05:51,120 –> 00:05:53,880
a scope inside a scope because somebody needed a try,
166
00:05:53,880 –> 00:05:55,960
catch, another scope because someone needed
167
00:05:55,960 –> 00:05:57,880
to continue on error.
168
00:05:57,880 –> 00:06:00,480
And now the flow run history is basically a crime scene.
169
00:06:00,480 –> 00:06:03,640
600 actions, three retries, four parallel branches
170
00:06:03,640 –> 00:06:06,560
and a final terminate with a message that tells you nothing.
171
00:06:06,560 –> 00:06:08,720
This might seem like a maker problem, it isn’t.
172
00:06:08,720 –> 00:06:10,280
It’s a platform economics problem.
173
00:06:10,280 –> 00:06:12,400
In power automate, every additional action
174
00:06:12,400 –> 00:06:14,280
is an unpriced maintenance contract.
175
00:06:14,280 –> 00:06:15,880
You don’t pay the cost when you build it.
176
00:06:15,880 –> 00:06:18,760
You pay it when you debug it, version it, secure it
177
00:06:18,760 –> 00:06:20,760
and explain it to someone who didn’t design it.
178
00:06:20,760 –> 00:06:22,240
And the platform encourages this
179
00:06:22,240 –> 00:06:25,240
because the UI makes every step feel equally cheap.
180
00:06:25,240 –> 00:06:27,440
One more action, one more condition, one more compose,
181
00:06:27,440 –> 00:06:28,560
it’s fine, it isn’t.
182
00:06:28,560 –> 00:06:30,360
Because flows don’t give you determinism.
183
00:06:30,360 –> 00:06:31,760
They give you last run.
184
00:06:31,760 –> 00:06:34,120
When something breaks, you get a screenshot of a failed action
185
00:06:34,120 –> 00:06:36,200
and a payload that’s half context, half noise
186
00:06:36,200 –> 00:06:38,720
and you’re expected to reverse engineer intent
187
00:06:38,720 –> 00:06:39,880
from the remains.
188
00:06:39,880 –> 00:06:42,640
And changes don’t carry version intent by default.
189
00:06:42,640 –> 00:06:45,800
A maker tweaks in expression, the flow runs, the incident stops
190
00:06:45,800 –> 00:06:48,000
and nobody can tell you what changed, why it changed
191
00:06:48,000 –> 00:06:49,920
or whether it created a new failure mode
192
00:06:49,920 –> 00:06:51,560
that just hasn’t been triggered yet.
193
00:06:51,560 –> 00:06:53,560
The system becomes a set of invisible forks.
194
00:06:53,560 –> 00:06:55,000
This is also where platform limits
195
00:06:55,000 –> 00:06:58,160
quietly convert logic into workaround engineering.
196
00:06:58,160 –> 00:07:01,040
Connector throttles don’t care about your business priority.
197
00:07:01,040 –> 00:07:03,080
Run limits don’t care about your deadline.
198
00:07:03,080 –> 00:07:06,120
Large payload limits don’t care that it’s just a spreadsheet.
199
00:07:06,120 –> 00:07:08,680
So people start engineering around the constraints,
200
00:07:08,680 –> 00:07:11,080
chunking arrays, splitting files, delaying steps,
201
00:07:11,080 –> 00:07:13,240
adding weights, switching to concurrency,
202
00:07:13,240 –> 00:07:16,080
then turning concurrency off because it causes duplicates,
203
00:07:16,080 –> 00:07:18,760
then adding a do not run twice flag in dataverse
204
00:07:18,760 –> 00:07:20,560
that fails under race conditions.
205
00:07:20,560 –> 00:07:23,920
And the weird part is, all of these workarounds look like progress.
206
00:07:23,920 –> 00:07:25,800
They’re not progress, they’re symptoms of using
207
00:07:25,800 –> 00:07:28,040
an orchestration engine as a compute engine.
208
00:07:28,040 –> 00:07:31,320
So when someone asks, can power automate kick off Python?
209
00:07:31,320 –> 00:07:34,040
They’re usually asking the wrong question with the right instinct.
210
00:07:34,040 –> 00:07:36,520
The instinct is that computation needs a real runtime.
211
00:07:36,520 –> 00:07:39,040
The wrong part is thinking the integration is the hard problem.
212
00:07:39,040 –> 00:07:40,200
The integration is easy.
213
00:07:40,200 –> 00:07:41,280
The boundary is the problem.
214
00:07:41,280 –> 00:07:43,960
Because the moment you bolt Python onto a flow without deciding
215
00:07:43,960 –> 00:07:46,480
where it lives, you’ve created an unknown execution tier.
216
00:07:46,480 –> 00:07:48,200
If it’s a script on someone’s laptop,
217
00:07:48,200 –> 00:07:50,760
you just made availability dependent on a human.
218
00:07:50,760 –> 00:07:54,240
If it’s a file watcher, you just made your control plane depend on polling.
219
00:07:54,240 –> 00:07:56,440
If it’s a service account, you just planted a credential
220
00:07:56,440 –> 00:07:58,200
that will outlive the person who created it.
221
00:07:58,200 –> 00:08:00,880
If it writes directly back to dataverse using ad hoc tokens,
222
00:08:00,880 –> 00:08:03,640
you just bypass the governance posture you thought you had.
223
00:08:03,640 –> 00:08:07,320
This is why the low-code ceiling is not the moment flows can’t do the work.
224
00:08:07,320 –> 00:08:09,480
It’s the moment the only way to keep doing the work
225
00:08:09,480 –> 00:08:12,960
is to add more actions, more exceptions, and more hidden dependencies.
226
00:08:12,960 –> 00:08:14,920
That is architectural erosion in real time.
227
00:08:14,920 –> 00:08:17,040
So the real question isn’t can it call Python?
228
00:08:17,040 –> 00:08:19,560
The real question is, what stays in power platform
229
00:08:19,560 –> 00:08:22,560
because it’s orchestration and what leaves because it’s execution?
230
00:08:22,560 –> 00:08:26,400
If you don’t answer that, your flows will keep mutating into pipelines by accident
231
00:08:26,400 –> 00:08:31,240
and you’ll keep paying for it in the only currency that matters in production and baguity.
232
00:08:31,240 –> 00:08:34,720
And from here, the model has to become explicit or the entropy wins.
233
00:08:34,720 –> 00:08:36,360
Define the three tier model.
234
00:08:36,360 –> 00:08:39,680
So define the model explicitly before you integrate anything.
235
00:08:39,680 –> 00:08:43,360
Because if you don’t define tiers, you don’t get a hybrid architecture.
236
00:08:43,360 –> 00:08:44,880
You get a hybrid blame game.
237
00:08:44,880 –> 00:08:46,880
Power platform is the orchestration tier.
238
00:08:46,880 –> 00:08:48,200
Python is the execution tier.
239
00:08:48,200 –> 00:08:49,440
Azure is the governance tier.
240
00:08:49,440 –> 00:08:51,440
And yes, these words sound like a diagram,
241
00:08:51,440 –> 00:08:54,320
but treat them as ownership boundaries, not shapes on a slide.
242
00:08:54,320 –> 00:08:56,880
Each tier exists because it is good at one thing
243
00:08:56,880 –> 00:08:59,040
and dangerously mediocre at the other two.
244
00:08:59,040 –> 00:09:01,240
Start with orchestration.
245
00:09:01,240 –> 00:09:03,360
Power platform excels at coordination.
246
00:09:03,360 –> 00:09:08,000
Triggers, rooting, approvals, human in the loop steps, notifications,
247
00:09:08,000 –> 00:09:10,320
exception handling that a business can understand
248
00:09:10,320 –> 00:09:13,280
and state tracking that lives close to the process owners.
249
00:09:13,280 –> 00:09:17,360
It’s also where connector policy and environment scoping can actually enforce behavior at scale.
250
00:09:17,360 –> 00:09:19,680
The orchestration tier should do three jobs.
251
00:09:19,680 –> 00:09:21,640
Decide that work needs to happen.
252
00:09:21,640 –> 00:09:23,200
Decide who is allowed to approve it
253
00:09:23,200 –> 00:09:25,240
and decide whether results should be recorded.
254
00:09:25,240 –> 00:09:25,760
That’s it.
255
00:09:25,760 –> 00:09:30,800
The orchestration tier is not where you do heavy passing, complex validation, bulk data shaping
256
00:09:30,800 –> 00:09:32,920
or probabilistic, let’s see what happens loops.
257
00:09:32,920 –> 00:09:36,720
Because once you do that, the flow stops being coordination and becomes computation
258
00:09:36,720 –> 00:09:39,840
and you lose determinism, version intent and debuggability.
259
00:09:39,840 –> 00:09:42,000
Now the execution tier.
260
00:09:42,000 –> 00:09:45,160
Python exists here because execution needs determinism.
261
00:09:45,160 –> 00:09:49,240
It needs a real runtime, real libraries, real testing, real error handling,
262
00:09:49,240 –> 00:09:52,480
real dependency management and real performance characteristics.
263
00:09:52,480 –> 00:09:55,800
This tier is where you do transforms, normalization, deduplication,
264
00:09:55,800 –> 00:09:58,760
model inference, scoring, enrichment and batch strategy.
265
00:09:58,760 –> 00:10:01,280
It’s where you can implement idempotency
266
00:10:01,280 –> 00:10:04,920
as code, not as a pile of flags inside a low code designer.
267
00:10:04,920 –> 00:10:08,520
It’s where you can unit test the rules that decide whether a row is valid,
268
00:10:08,520 –> 00:10:11,280
a record should be merged or a payload should be rejected.
269
00:10:11,280 –> 00:10:14,200
And the critical point, the execution tier should behave like a service,
270
00:10:14,200 –> 00:10:15,560
not a script, not a sidecar.
271
00:10:15,560 –> 00:10:19,600
A service has a contract, a service has versions, a service has clear inputs and outputs.
272
00:10:19,600 –> 00:10:25,200
A service can be patched without asking makers to open 50 flows and edit expressions they don’t understand.
273
00:10:25,200 –> 00:10:28,800
A service can be monitored, a service can be throttled intentionally
274
00:10:28,800 –> 00:10:33,680
and a service can be owned by a team that is accountable for its behavior in production.
275
00:10:33,680 –> 00:10:35,640
That’s what Python is for in this model,
276
00:10:35,640 –> 00:10:39,920
deterministic compute that stays stable while the orchestration changes around it.
277
00:10:39,920 –> 00:10:41,840
Now the governance tier.
278
00:10:41,840 –> 00:10:48,080
As you exist here because somebody has to enforce reality, identity, network boundaries, secrets,
279
00:10:48,080 –> 00:10:52,080
observability, policy, cost controls, life cycle.
280
00:10:52,080 –> 00:10:57,000
The governance tier is the place where you stop trusting its internal as a security strategy
281
00:10:57,000 –> 00:11:00,200
and start making it true with control plane primitives.
282
00:11:00,200 –> 00:11:02,520
This is where enter ID becomes non-negotiable.
283
00:11:02,520 –> 00:11:06,040
Non-interactive workloads should authenticate as principles, not as people.
284
00:11:06,040 –> 00:11:11,000
This is where key vault, managed identities and secret rotation stop being nice to have
285
00:11:11,000 –> 00:11:13,000
and become basic operational hygiene.
286
00:11:13,000 –> 00:11:17,640
This is where network containment turns reachable into a governed property, not a convenience.
287
00:11:17,640 –> 00:11:21,800
And this is where logs and metrics cross tier, so incident response becomes a query,
288
00:11:21,800 –> 00:11:22,880
not a group chat.
289
00:11:22,880 –> 00:11:25,760
A lot of teams try to skip this tier because it doesn’t ship features.
290
00:11:25,760 –> 00:11:26,560
That’s the mistake.
291
00:11:26,560 –> 00:11:28,320
The governance tier doesn’t ship features.
292
00:11:28,320 –> 00:11:29,800
It prevents entropy.
293
00:11:29,800 –> 00:11:33,160
An entropy is what kills your features after they succeed.
294
00:11:33,160 –> 00:11:38,200
Now here’s what changes when you adopt the three tier model, not capability, ownership.
295
00:11:38,200 –> 00:11:42,320
In a low-code purity world, the maker owns everything by default, the trigger, the logic,
296
00:11:42,320 –> 00:11:46,200
the data shaping, the credentials, the error handling, the notifications, and the downstream
297
00:11:46,200 –> 00:11:47,200
rights.
298
00:11:47,200 –> 00:11:49,480
That feels empowering right up until it becomes unreviewable.
299
00:11:49,480 –> 00:11:54,120
In the three tier model, the maker owns orchestration, engineers own execution, platform
300
00:11:54,120 –> 00:11:56,440
and security teams own governance.
301
00:11:56,440 –> 00:12:02,000
And the seams between them are formal, authentication, authorization, network paths, contracts and
302
00:12:02,000 –> 00:12:03,000
correlated logs.
303
00:12:03,000 –> 00:12:05,680
That distinction matters because it creates survivability.
304
00:12:05,680 –> 00:12:07,840
When someone leaves, the principle still exists.
305
00:12:07,840 –> 00:12:10,480
When a package needs patching, the service is updated once.
306
00:12:10,480 –> 00:12:14,680
When an audit asks how data moves, you can answer with boundaries, not with hope.
307
00:12:14,680 –> 00:12:18,720
When scale arrives, throttling and queues exist where they belong, not embedded as delay
308
00:12:18,720 –> 00:12:20,840
30 seconds inside a flow.
309
00:12:20,840 –> 00:12:24,160
And the punchline is simple, power platform doesn’t lose value in this model.
310
00:12:24,160 –> 00:12:25,160
It gains value.
311
00:12:25,160 –> 00:12:29,440
Because now it can stay what it actually is, a control plane for business process.
312
00:12:29,440 –> 00:12:31,760
While Python does what it’s always done, compute.
313
00:12:31,760 –> 00:12:36,000
And Azure does what enterprises always forget they need until after the incident.
314
00:12:36,000 –> 00:12:37,200
In force.
315
00:12:37,200 –> 00:12:40,080
The anti-pattern Python is a sidecar in the shadows.
316
00:12:40,080 –> 00:12:43,200
The anti-pattern looks innocent because it usually starts as a demo.
317
00:12:43,200 –> 00:12:47,440
Someone proves power automate can trigger Python by dropping a file in one drive, then a
318
00:12:47,440 –> 00:12:50,160
local script notices the file and does the work.
319
00:12:50,160 –> 00:12:53,320
Or Python triggers a flow by calling an HTTP endpoint.
320
00:12:53,320 –> 00:12:56,960
It works, everyone claps, the organization calls it innovation, what they actually build
321
00:12:56,960 –> 00:12:58,400
is a sidecar in the shadows.
322
00:12:58,400 –> 00:12:59,680
It’s not an execution tier.
323
00:12:59,680 –> 00:13:01,000
It’s a haunted extension cord.
324
00:13:01,000 –> 00:13:02,960
The first variant is the file watcher.
325
00:13:02,960 –> 00:13:04,600
Power automate writes a file to a folder.
326
00:13:04,600 –> 00:13:06,080
Python pulls the folder.
327
00:13:06,080 –> 00:13:07,320
When a file appears it runs.
328
00:13:07,320 –> 00:13:10,240
The weird part is how quickly this becomes production behavior.
329
00:13:10,240 –> 00:13:12,120
Not because it’s good, because it’s easy.
330
00:13:12,120 –> 00:13:15,800
And once a business process depends on it, nobody wants to touch it.
331
00:13:15,800 –> 00:13:18,840
But a polling script is a governance failure disguised as automation.
332
00:13:18,840 –> 00:13:19,840
It has no contract.
333
00:13:19,840 –> 00:13:21,280
It has no authenticated caller.
334
00:13:21,280 –> 00:13:23,160
It has no explicit authorization model.
335
00:13:23,160 –> 00:13:25,440
It has no deterministic retry behavior.
336
00:13:25,440 –> 00:13:29,520
It has wild true and asleep timer, which is basically the architectural equivalent of leaving
337
00:13:29,520 –> 00:13:32,800
a car idling because you don’t trust it to start again.
338
00:13:32,800 –> 00:13:34,240
Then you get the next variant.
339
00:13:34,240 –> 00:13:36,320
Local scripts on laptops or jump boxes.
340
00:13:36,320 –> 00:13:38,880
The flow writes a file, a scheduled task runs Python.
341
00:13:38,880 –> 00:13:40,880
A team shares the script in TeamsChat.
342
00:13:40,880 –> 00:13:42,960
Somebody pins a message with, don’t delete this.
343
00:13:42,960 –> 00:13:47,440
And now the availability of your automation depends on whether a workstation reboots during
344
00:13:47,440 –> 00:13:48,440
patch Tuesday.
345
00:13:48,440 –> 00:13:50,200
This is what incident reviews sound like.
346
00:13:50,200 –> 00:13:51,200
It worked yesterday.
347
00:13:51,200 –> 00:13:53,640
No, a person’s workstation worked yesterday.
348
00:13:53,640 –> 00:13:57,840
The third variant is the service account because eventually somebody gets tired of MFA
349
00:13:57,840 –> 00:13:59,600
prompts and broken connections.
350
00:13:59,600 –> 00:14:04,160
So they create automation at company, com, granted broad access and store the password
351
00:14:04,160 –> 00:14:06,480
somewhere that feels private until it isn’t.
352
00:14:06,480 –> 00:14:08,960
That account becomes the keystone of the whole arrangement.
353
00:14:08,960 –> 00:14:10,160
It authenticates the script.
354
00:14:10,160 –> 00:14:11,560
It authenticates the connectors.
355
00:14:11,560 –> 00:14:14,920
It authenticates the downstream rights and nobody can tell you who’s responsible for
356
00:14:14,920 –> 00:14:15,920
it.
357
00:14:15,920 –> 00:14:18,240
In architectural terms, you didn’t solve authentication.
358
00:14:18,240 –> 00:14:22,680
You manufactured an entropy generator and yes, the sidecar can be in the cloud and still
359
00:14:22,680 –> 00:14:24,520
be the same anti-pattern.
360
00:14:24,520 –> 00:14:29,480
A container running Python with a public endpoint, a function app with no network containment,
361
00:14:29,480 –> 00:14:32,760
a web hook that accepts anonymous requests because it’s just internal.
362
00:14:32,760 –> 00:14:36,440
It is a key in a config file because we’ll move it to Key Vault later.
363
00:14:36,440 –> 00:14:37,440
Later never arrives.
364
00:14:37,440 –> 00:14:40,080
Later is where security debt goes to retire comfortably.
365
00:14:40,080 –> 00:14:42,520
This is why sidecar Python fails in incident reviews.
366
00:14:42,520 –> 00:14:44,480
Ownership and boundaries are undefined.
367
00:14:44,480 –> 00:14:45,640
Who owns the runtime?
368
00:14:45,640 –> 00:14:48,120
Who patches the dependencies when a CVE drops?
369
00:14:48,120 –> 00:14:49,120
Who rotates the secret?
370
00:14:49,120 –> 00:14:50,120
Who reviews the code?
371
00:14:50,120 –> 00:14:52,080
Who decides what outbound calls are allowed?
372
00:14:52,080 –> 00:14:54,240
Who has the logs when it fails at 3am?
373
00:14:54,240 –> 00:14:55,600
And the most important question?
374
00:14:55,600 –> 00:14:59,680
Who is accountable when the script quietly exfiltrates data to somewhere that was never
375
00:14:59,680 –> 00:15:01,000
modeled?
376
00:15:01,000 –> 00:15:04,640
Because somebody imported a library that phones home for updates.
377
00:15:04,640 –> 00:15:06,600
The operational rod shows up first.
378
00:15:06,600 –> 00:15:08,800
The script works until a package version changes.
379
00:15:08,800 –> 00:15:10,360
It works until the OS updates.
380
00:15:10,360 –> 00:15:12,240
It works until the directory path changes.
381
00:15:12,240 –> 00:15:15,280
It works until the one drive sync client decides its offline.
382
00:15:15,280 –> 00:15:18,080
It works until the maker renames a file and the parser breaks.
383
00:15:18,080 –> 00:15:20,800
It works until concurrency shows up in two runs collide.
384
00:15:20,800 –> 00:15:24,920
And when it fails, it fails in a place the power platform team can’t see.
385
00:15:24,920 –> 00:15:28,880
Outside the run history, outside the connector logs, outside the environment telemetry.
386
00:15:28,880 –> 00:15:33,000
Your control plane loses observability exactly where you introduced complexity.
387
00:15:33,000 –> 00:15:34,320
Then the security rod shows up.
388
00:15:34,320 –> 00:15:36,640
The data path becomes outbound by accident.
389
00:15:36,640 –> 00:15:40,040
Dataverse data gets written to files because that was the easiest handoff.
390
00:15:40,040 –> 00:15:43,760
Those files land in places with consumer sync clients, retention policies you didn’t
391
00:15:43,760 –> 00:15:46,040
design and access you didn’t review.
392
00:15:46,040 –> 00:15:50,280
For the Python script calls back into power automate through an HTTP trigger that has no
393
00:15:50,280 –> 00:15:53,680
meaningful authorization beyond, you know the URL.
394
00:15:53,680 –> 00:15:56,760
That’s not integration, that’s a back door you forgot you created.
395
00:15:56,760 –> 00:16:01,560
And the irony is that the bidirectional arrow, the thing people love to show on slides, can
396
00:16:01,560 –> 00:16:02,840
be real and safe.
397
00:16:02,840 –> 00:16:05,360
But only if you treat it like a tier boundary with enforcement.
398
00:16:05,360 –> 00:16:08,280
A side car is what you get when you treat Python like a hack.
399
00:16:08,280 –> 00:16:11,720
A hybrid architecture is what you get when you treat Python like a service and a
400
00:16:11,720 –> 00:16:15,400
zure like the enforcement layer and power platform like the coordinator that never stops
401
00:16:15,400 –> 00:16:16,960
being a control plane.
402
00:16:16,960 –> 00:16:18,720
That’s the replacement pattern.
403
00:16:18,720 –> 00:16:22,080
And to do it, you start with the thing everyone tries to postpone.
404
00:16:22,080 –> 00:16:23,360
Identity.
405
00:16:23,360 –> 00:16:26,960
Integration paths, two directions, one governance standard.
406
00:16:26,960 –> 00:16:31,040
There are only two integration directions that matter and both are legitimate.
407
00:16:31,040 –> 00:16:33,680
Power automate to Python and Python to power automate.
408
00:16:33,680 –> 00:16:37,320
The problem is that most tenants implement both as if they’re different species with different
409
00:16:37,320 –> 00:16:38,440
standards.
410
00:16:38,440 –> 00:16:41,080
One is treated as a flow calling an API.
411
00:16:41,080 –> 00:16:44,120
The other is treated as a script calling a web hook.
412
00:16:44,120 –> 00:16:47,200
And governance evaporates because it’s just automation.
413
00:16:47,200 –> 00:16:48,200
It’s not.
414
00:16:48,200 –> 00:16:52,080
It’s crossed here execution and it needs one governance standard, no matter which direction
415
00:16:52,080 –> 00:16:54,920
the arrow points start with power automate to Python.
416
00:16:54,920 –> 00:16:59,520
This is the cleaner mental model for most organizations because it preserves what power
417
00:16:59,520 –> 00:17:01,000
platform is good at.
418
00:17:01,000 –> 00:17:02,320
It stays the coordinator.
419
00:17:02,320 –> 00:17:03,640
A trigger happens.
420
00:17:03,640 –> 00:17:07,160
A maker owned process decides that computation is required.
421
00:17:07,160 –> 00:17:10,880
Then the flow calls a deterministic execution service and waits for a result.
422
00:17:10,880 –> 00:17:14,960
The flow remains the system of record for the process state approvals notifications and
423
00:17:14,960 –> 00:17:15,960
escalation.
424
00:17:15,960 –> 00:17:18,880
Python does the heavy lifting and returns structured output.
425
00:17:18,880 –> 00:17:23,080
That output has to look like a contract, a schema, a status, a list of errors, a data and
426
00:17:23,080 –> 00:17:24,080
a correlation ID.
427
00:17:24,080 –> 00:17:26,400
Not here’s a string, not check the logs.
428
00:17:26,400 –> 00:17:28,000
Not it worked on my machine.
429
00:17:28,000 –> 00:17:32,640
If the execution tier fails, the orchestration tier should be able to route that failure.
430
00:17:32,640 –> 00:17:36,720
Retry intentionally, raise an incident or park the record for human review.
431
00:17:36,720 –> 00:17:40,760
That means the flow needs stable responses and stable failure modes.
432
00:17:40,760 –> 00:17:42,760
The execution tier’s job is not to be clever.
433
00:17:42,760 –> 00:17:43,920
It’s to be predictable.
434
00:17:43,920 –> 00:17:44,920
Now flip it.
435
00:17:44,920 –> 00:17:46,400
Python to power automate.
436
00:17:46,400 –> 00:17:48,320
This direction exists for a reason.
437
00:17:48,320 –> 00:17:50,400
Sometimes the event source isn’t power platform.
438
00:17:50,400 –> 00:17:51,400
It’s a data science job.
439
00:17:51,400 –> 00:17:52,400
It’s a batch ingestion.
440
00:17:52,400 –> 00:17:53,520
It’s an external system.
441
00:17:53,520 –> 00:17:57,160
It’s a scheduled compute process that decides something important happened and the business
442
00:17:57,160 –> 00:18:02,680
process needs to run, notify a team, create an approval, update a dataverse record through
443
00:18:02,680 –> 00:18:05,960
a governed path or kickoff downstream coordination.
444
00:18:05,960 –> 00:18:09,120
So Python calls a flow, usually through an HTTP trigger.
445
00:18:09,120 –> 00:18:13,000
And this is where people get sloppy because HTTP triggers look like convenience.
446
00:18:13,000 –> 00:18:14,000
They’re not.
447
00:18:14,000 –> 00:18:15,400
They are an orchestration entry point.
448
00:18:15,400 –> 00:18:17,920
They are literally the front door to your control plane.
449
00:18:17,920 –> 00:18:21,520
Treating them like a back door is how you end up with anonymous URLs floating around
450
00:18:21,520 –> 00:18:26,240
in scripts, paste it into wikis, shared in email threads, and embedded in code that gets
451
00:18:26,240 –> 00:18:28,240
copied into the next quick fix.
452
00:18:28,240 –> 00:18:29,320
You can’t rotate culture.
453
00:18:29,320 –> 00:18:30,520
You can rotate credentials.
454
00:18:30,520 –> 00:18:36,000
So if Python triggers power automate, it must do it as an authenticated, authorized principle
455
00:18:36,000 –> 00:18:40,120
with explicit permissions and the flow must enforce those assumptions.
456
00:18:40,120 –> 00:18:43,240
The caller identity shouldn’t be anyone who knows the URL.
457
00:18:43,240 –> 00:18:46,360
It should be a workload identity you can disable scope and audit.
458
00:18:46,360 –> 00:18:50,520
By directionality matters because it decouples business coordination from compute.
459
00:18:50,520 –> 00:18:52,680
That’s the entire point of the three tier model.
460
00:18:52,680 –> 00:18:57,240
You want the workflow to remain stable even as the execution logic evolves and you want
461
00:18:57,240 –> 00:19:01,200
execution to scale and change without rewriting the business process layer.
462
00:19:01,200 –> 00:19:03,240
Both directions support that decoupling.
463
00:19:03,240 –> 00:19:05,600
But only if they share one governance standard.
464
00:19:05,600 –> 00:19:07,840
There is that standard and it’s non-negotiable.
465
00:19:07,840 –> 00:19:11,720
Every cross tier call must be authenticated, authorized, and logged.
466
00:19:11,720 –> 00:19:15,640
Authenticated means the caller proves who it is using tokens not shared secrets stuffed
467
00:19:15,640 –> 00:19:17,160
into a flow action.
468
00:19:17,160 –> 00:19:21,160
Authorized means the caller can only do the specific thing it needs to do, not contributor
469
00:19:21,160 –> 00:19:24,360
on the whole resource group because it was faster.
470
00:19:24,360 –> 00:19:28,440
Logged means the call creates evidence who called what was requested, what was returned,
471
00:19:28,440 –> 00:19:30,280
how long it took, and why it failed.
472
00:19:30,280 –> 00:19:33,200
And yes, the log requirement is part of the interface.
473
00:19:33,200 –> 00:19:37,640
If you can’t correlate the flow run to the function invocation to the downstream data
474
00:19:37,640 –> 00:19:40,160
verse operation, you do not have an architecture.
475
00:19:40,160 –> 00:19:41,720
You have a distributed guessing game.
476
00:19:41,720 –> 00:19:45,920
This is also where people start arguing about tools, functions versus containers.
477
00:19:45,920 –> 00:19:48,440
APIM versus direct calls.
478
00:19:48,440 –> 00:19:50,800
Private endpoints versus public with IP restrictions.
479
00:19:50,800 –> 00:19:52,280
Those details matter later.
480
00:19:52,280 –> 00:19:53,960
First you decide the behavioral rules.
481
00:19:53,960 –> 00:19:57,120
The hybrid mandate doesn’t care whether you like Python or dislike it.
482
00:19:57,120 –> 00:20:00,480
It cares whether the execution tier behaves like a govern service.
483
00:20:00,480 –> 00:20:03,960
It cares whether the orchestration tier remains readable and survivable.
484
00:20:03,960 –> 00:20:06,920
It cares whether Azure enforces the boundaries you claim exist.
485
00:20:06,920 –> 00:20:09,480
So pick your direction based on the event source.
486
00:20:09,480 –> 00:20:13,800
But enforce the same governance standard either way and start where every boundary decision
487
00:20:13,800 –> 00:20:16,560
starts, whether you admitted or not, identity.
488
00:20:16,560 –> 00:20:19,880
Identity boundary, flow authenticated via intra ID.
489
00:20:19,880 –> 00:20:24,000
Identity is where hybrid architectures either become governable or become folklore.
490
00:20:24,000 –> 00:20:27,640
Because the first thing most people do when they connect, power automate to some Python
491
00:20:27,640 –> 00:20:28,720
is borrow a human.
492
00:20:28,720 –> 00:20:32,040
They create a connection with their own account, test it, publish it and move on.
493
00:20:32,040 –> 00:20:33,440
It runs, the business is happy.
494
00:20:33,440 –> 00:20:38,160
And now production depends on one person’s token refresh behavior, licensing status, MFA
495
00:20:38,160 –> 00:20:40,800
prompts, password resets and eventual offboarding.
496
00:20:40,800 –> 00:20:42,160
That isn’t automation.
497
00:20:42,160 –> 00:20:44,240
That’s employee impersonation at scale.
498
00:20:44,240 –> 00:20:48,640
In the hybrid mandate, every cross tier call is a workload call, not a human call.
499
00:20:48,640 –> 00:20:53,720
That means the principle has to be explicit, named, owned, auditable.
500
00:20:53,720 –> 00:20:57,880
And designed to survive leadership changes, reogs and attrition.
501
00:20:57,880 –> 00:21:00,520
Because those are the only constants in enterprise IT.
502
00:21:00,520 –> 00:21:02,000
So start with the hard rule.
503
00:21:02,000 –> 00:21:06,480
Stop using some users credentials for anything that runs without a user present.
504
00:21:06,480 –> 00:21:10,320
If a flow needs to call the Python execution tier, typically an Azure function, container
505
00:21:10,320 –> 00:21:15,120
endpoint or a service behind API management, then the flow must authenticate using intra
506
00:21:15,120 –> 00:21:17,280
ID as a workload identity.
507
00:21:17,280 –> 00:21:21,960
In practice, that usually means one of two things, a service principle or a managed identity.
508
00:21:21,960 –> 00:21:24,160
A service principle is the classic pattern.
509
00:21:24,160 –> 00:21:29,040
An app registration in intra ID with defined permissions, a credential and a clear life cycle.
510
00:21:29,040 –> 00:21:30,040
It’s fine.
511
00:21:30,040 –> 00:21:34,000
It’s also where entropy enters because people treat client secrets like passwords and
512
00:21:34,000 –> 00:21:36,080
then paste them into places they don’t belong.
513
00:21:36,080 –> 00:21:40,920
A secret in a flow action, a secret in an environment variable that’s shared across environments,
514
00:21:40,920 –> 00:21:44,000
a secret in a wiki page because the SOE needs it.
515
00:21:44,000 –> 00:21:48,080
Then six months later, nobody knows where it’s used, so nobody rotates it.
516
00:21:48,080 –> 00:21:50,720
Now the secret is permanent and permanent secrets are a design failure.
517
00:21:50,720 –> 00:21:55,040
A managed identity is what enterprises should prefer when the execution tier lives in a
518
00:21:55,040 –> 00:21:56,040
Azure.
519
00:21:56,040 –> 00:21:57,960
It removes the secret handling problem entirely.
520
00:21:57,960 –> 00:21:59,520
The runtime gets an identity.
521
00:21:59,520 –> 00:22:01,680
The identity gets permissions.
522
00:22:01,680 –> 00:22:03,240
Tokens are issued automatically.
523
00:22:03,240 –> 00:22:04,640
Rotation is no longer your problem.
524
00:22:04,640 –> 00:22:05,880
That’s not convenience.
525
00:22:05,880 –> 00:22:09,880
That’s reducing attack surface and operational toilet at the same time, which is rare enough
526
00:22:09,880 –> 00:22:12,360
that you should take it whenever you can.
527
00:22:12,360 –> 00:22:15,720
But whether you use a service principle or manage the identity, the critical behavior
528
00:22:15,720 –> 00:22:16,720
is the same.
529
00:22:16,720 –> 00:22:19,040
Token-based calls with least privilege.
530
00:22:19,040 –> 00:22:22,680
The execution tier should accept only valid tokens from known callers.
531
00:22:22,680 –> 00:22:25,040
It should validate audience issuer and claims.
532
00:22:25,040 –> 00:22:29,480
It should reject anonymous calls, shared keys and its internal assumptions.
533
00:22:29,480 –> 00:22:33,000
And the identity should be scoped to exactly what it needs.
534
00:22:33,000 –> 00:22:36,280
Call this API in this environment with this role.
535
00:22:36,280 –> 00:22:38,480
Not contributor because it was faster.
536
00:22:38,480 –> 00:22:40,600
Not owner because troubleshooting was annoying.
537
00:22:40,600 –> 00:22:42,640
Those shortcuts don’t stay temporary.
538
00:22:42,640 –> 00:22:44,000
They become the architecture.
539
00:22:44,000 –> 00:22:48,320
This is also where conditional access enters the chat and quietly ruins people’s day.
540
00:22:48,320 –> 00:22:50,920
Non-interactive workloads don’t do MFA prompts.
541
00:22:50,920 –> 00:22:52,880
They don’t pass device compliance checks.
542
00:22:52,880 –> 00:22:54,120
They don’t open a browser.
543
00:22:54,120 –> 00:22:58,080
So the tenant needs conditional access policies that explicitly account for service principles
544
00:22:58,080 –> 00:22:59,640
and managed identities.
545
00:22:59,640 –> 00:23:02,240
Otherwise you’ll oscillate between two failure modes.
546
00:23:02,240 –> 00:23:06,520
Either you block the workload and break production, or you exempt it broadly and create a permanent
547
00:23:06,520 –> 00:23:07,520
bypass.
548
00:23:07,520 –> 00:23:09,240
The hybrid mandate doesn’t accept either.
549
00:23:09,240 –> 00:23:13,520
The identity boundary must be designed as a first class workload pattern.
550
00:23:13,520 –> 00:23:17,880
Dedicated principles, explicit assignments and policies that treat automation as automation
551
00:23:17,880 –> 00:23:20,280
not as a human pretending to be a robot.
552
00:23:20,280 –> 00:23:21,960
Now the ownership model.
553
00:23:21,960 –> 00:23:25,400
This is the part everyone avoids because it forces accountability.
554
00:23:25,400 –> 00:23:26,880
Who owns the app registration?
555
00:23:26,880 –> 00:23:28,360
Who owns the managed identity?
556
00:23:28,360 –> 00:23:29,880
Who owns the API permissions?
557
00:23:29,880 –> 00:23:33,200
Who owns incident response when the principle starts getting denied?
558
00:23:33,200 –> 00:23:35,760
If the answer is the maker, you’ve already lost.
559
00:23:35,760 –> 00:23:38,080
Because makers don’t own entrapostia.
560
00:23:38,080 –> 00:23:39,480
Security and platform teams do.
561
00:23:39,480 –> 00:23:43,920
If the answer is the cloud team but they don’t own the flow logic, you’ve split responsibility
562
00:23:43,920 –> 00:23:44,920
without a contract.
563
00:23:44,920 –> 00:23:46,440
So define it.
564
00:23:46,440 –> 00:23:52,440
makers own orchestration artifacts, engineers own execution services and platform security
565
00:23:52,440 –> 00:23:54,040
owns identities and policy.
566
00:23:54,040 –> 00:23:55,600
And yes, that sounds bureaucratic.
567
00:23:55,600 –> 00:23:56,600
It’s not.
568
00:23:56,600 –> 00:23:58,080
It’s survivability engineering.
569
00:23:58,080 –> 00:24:02,400
Because when an employee leaves, a flow authenticated as them becomes an outage with a calendar
570
00:24:02,400 –> 00:24:03,400
invite.
571
00:24:03,400 –> 00:24:07,240
When a flow authenticates as a workload principle, off-boarding is irrelevant.
572
00:24:07,240 –> 00:24:11,240
The system keeps running and the audit trail still points to a non-human identity that
573
00:24:11,240 –> 00:24:16,040
can be governed, rotated and revoked, without rewriting the business process.
574
00:24:16,040 –> 00:24:19,440
This is why identity is the first boundary it determines every other boundary.
575
00:24:19,440 –> 00:24:22,640
But identity without network containment is still an exposed surface.
576
00:24:22,640 –> 00:24:28,480
So next comes the network boundary where private stops being a vibe and becomes a property.
577
00:24:28,480 –> 00:24:31,120
Network boundary, private endpoint for the function.
578
00:24:31,120 –> 00:24:33,040
Network is the part everyone hand waves with.
579
00:24:33,040 –> 00:24:34,760
It’s in Azure, so it’s fine.
580
00:24:34,760 –> 00:24:38,960
That sentence has funded more incident retrospectives than any attacker ever has.
581
00:24:38,960 –> 00:24:44,320
If the Python execution tier sits behind a public URL, you’ve created a permanent exception.
582
00:24:44,320 –> 00:24:47,720
Maybe you lock it down with a function key, maybe you add IP restrictions, maybe you stick
583
00:24:47,720 –> 00:24:50,200
it behind a waft later, but the physics don’t change.
584
00:24:50,200 –> 00:24:53,960
You made your execution tier internet reachable and now you will spend the rest of its life
585
00:24:53,960 –> 00:24:55,960
explaining why that’s acceptable.
586
00:24:55,960 –> 00:24:57,520
This is the uncomfortable truth.
587
00:24:57,520 –> 00:24:59,720
Public endpoints become policy debt.
588
00:24:59,720 –> 00:25:04,000
They start as temporary, then they become dependency, then they become sacred.
589
00:25:04,000 –> 00:25:06,440
Once flows, scripts and systems depend on that endpoint.
590
00:25:06,440 –> 00:25:09,200
Nobody wants to break it to fix it, so it stays public.
591
00:25:09,200 –> 00:25:13,600
Forever, with just one allow list, with just one bypass for a partner, with just one
592
00:25:13,600 –> 00:25:15,280
exception for a test tool.
593
00:25:15,280 –> 00:25:18,880
And then your back to conditional chaos, except now it’s network shaped.
594
00:25:18,880 –> 00:25:21,320
Private endpoint exists to stop the argument.
595
00:25:21,320 –> 00:25:23,960
Private endpoint makes reachable a govern property.
596
00:25:23,960 –> 00:25:25,760
The service is still the same function app.
597
00:25:25,760 –> 00:25:29,560
The code is still the same Python, but the front door moves off the public internet and
598
00:25:29,560 –> 00:25:31,520
into your private address space.
599
00:25:31,520 –> 00:25:36,840
That means if something wants to call the execution tier, it has to be inside your network boundary,
600
00:25:36,840 –> 00:25:39,960
or it has to come through an explicitly governed ingress point.
601
00:25:39,960 –> 00:25:44,080
That distinction matters because identity without containment is still an attack surface.
602
00:25:44,080 –> 00:25:46,080
Entra proves who is calling?
603
00:25:46,080 –> 00:25:47,160
Network proves from where?
604
00:25:47,160 –> 00:25:51,200
If you only do identity, you’re still betting that nobody can reach the endpoint except
605
00:25:51,200 –> 00:25:52,480
the callers you intended.
606
00:25:52,480 –> 00:25:54,280
That’s not an architectural guarantee.
607
00:25:54,280 –> 00:25:55,640
That’s a hope with certificates.
608
00:25:55,640 –> 00:25:57,800
So what does this look like in a hybrid mandate?
609
00:25:57,800 –> 00:26:00,680
The Python execution tier runs in Azure Functions.
610
00:26:00,680 –> 00:26:03,480
The function gets vnet integration for outbound.
611
00:26:03,480 –> 00:26:07,240
Then you expose inbound through private endpoint, so the function’s runtime is reachable
612
00:26:07,240 –> 00:26:10,360
only via private IP with private DNS resolution.
613
00:26:10,360 –> 00:26:13,520
Now your API isn’t on the internet with rules.
614
00:26:13,520 –> 00:26:17,800
It’s an internal service with an explicit entry path, and yes, there are multiple patterns
615
00:26:17,800 –> 00:26:21,200
depending on how strict you need to be and what else you’re integrating with.
616
00:26:21,200 –> 00:26:22,440
The details change.
617
00:26:22,440 –> 00:26:23,520
The principle doesn’t.
618
00:26:23,520 –> 00:26:27,720
You don’t make your execution tier public just because it’s convenient for a flow action.
619
00:26:27,720 –> 00:26:31,080
There’s an immediate pushback here, but power automate is SAS.
620
00:26:31,080 –> 00:26:32,960
How does it call a private endpoint?
621
00:26:32,960 –> 00:26:36,600
That question is exactly why network boundaries force architectural clarity.
622
00:26:36,600 –> 00:26:41,160
If a SAS orchestrator has to call into a private execution tier, you need a deliberate bridge.
623
00:26:41,160 –> 00:26:44,040
Not a leak, not a random public exception.
624
00:26:44,040 –> 00:26:47,480
Sometimes that bridge is API management with private back end connectivity acting as
625
00:26:47,480 –> 00:26:49,960
a controlled ingress with policy enforcement.
626
00:26:49,960 –> 00:26:52,360
Sometimes it’s a relay pattern, sometimes it’s a queue.
627
00:26:52,360 –> 00:26:56,520
The flow writes a message to a governed broker, and the execution tier pulls it from inside
628
00:26:56,520 –> 00:26:57,520
the network.
629
00:26:57,520 –> 00:27:00,520
The hybrid mandate doesn’t require one specific implementation.
630
00:27:00,520 –> 00:27:05,440
It requires that the bridge is explicit, auditable and owned because the failure mode is predictable.
631
00:27:05,440 –> 00:27:10,080
If the flow can’t reach the function privately, people will make it public for now.
632
00:27:10,080 –> 00:27:12,280
And for now is how permanent exposure happens.
633
00:27:12,280 –> 00:27:15,520
Private endpoint also forces you to get serious about outbound paths.
634
00:27:15,520 –> 00:27:18,800
A function app can talk to anything by default if you let it.
635
00:27:18,800 –> 00:27:22,880
That means the execution tier can quietly become a data exfiltration engine with legitimate
636
00:27:22,880 –> 00:27:24,120
credentials.
637
00:27:24,120 –> 00:27:28,960
Private networking and controlled egress through naty, firewalls or inspected routes turn
638
00:27:28,960 –> 00:27:34,160
outbound traffic into something you can actually reason about, not perfectly, but architecturally.
639
00:27:34,160 –> 00:27:36,160
And when you do that, you change the operating model.
640
00:27:36,160 –> 00:27:40,320
You stop treating the execution tier like a hobby project and start treating it like production
641
00:27:40,320 –> 00:27:45,560
infrastructure, governed ingress, governed egress, named dependencies, and no surprise internet
642
00:27:45,560 –> 00:27:47,240
reachability.
643
00:27:47,240 –> 00:27:49,840
The business benefit isn’t security theater.
644
00:27:49,840 –> 00:27:50,840
It’s stability.
645
00:27:50,840 –> 00:27:54,160
When an endpoint is private, random internet noise doesn’t hit it.
646
00:27:54,160 –> 00:27:55,760
Scanners don’t find it.
647
00:27:55,760 –> 00:27:58,040
Opportunistic probing doesn’t become your baseline.
648
00:27:58,040 –> 00:28:02,080
You reduce the ambient attack traffic that everyone pretends doesn’t matter until it does.
649
00:28:02,080 –> 00:28:03,760
So the network boundary is simple.
650
00:28:03,760 –> 00:28:06,680
The Python execution tier lives behind private endpoint.
651
00:28:06,680 –> 00:28:10,920
If something needs to reach it, it does so through a designed path, not a public exception.
652
00:28:10,920 –> 00:28:13,760
And once you accept that, the next boundary becomes obvious.
653
00:28:13,760 –> 00:28:17,080
Network controls are pointless if the data path is still unmanaged.
654
00:28:17,080 –> 00:28:18,880
So now you define the data boundary.
655
00:28:18,880 –> 00:28:22,560
Dataverse stays inside the platform and you stop pretending direct external access is
656
00:28:22,560 –> 00:28:24,440
just integration.
657
00:28:24,440 –> 00:28:25,440
Data boundary.
658
00:28:25,440 –> 00:28:28,280
Dataverse never directly exposed externally.
659
00:28:28,280 –> 00:28:32,520
Dataverse is where organizations accidentally confuse accessible with governed.
660
00:28:32,520 –> 00:28:36,800
Because dataverse feels like a database, it has tables, rows, relationships, and an API
661
00:28:36,800 –> 00:28:37,800
surface.
662
00:28:37,800 –> 00:28:39,120
So the instinct is obvious.
663
00:28:39,120 –> 00:28:42,640
If Python needs data, just let Python talk to dataverse directly.
664
00:28:42,640 –> 00:28:44,840
Over the API, get the job done.
665
00:28:44,840 –> 00:28:47,560
That instinct is how the data boundary collapses.
666
00:28:47,560 –> 00:28:51,680
In the hybrid mandate, dataverse is the governed system of record that stays behind
667
00:28:51,680 –> 00:28:52,680
the platform.
668
00:28:52,680 –> 00:28:56,080
It is not an integration playground for every script that wants a shortcut.
669
00:28:56,080 –> 00:28:57,280
The reason isn’t moral.
670
00:28:57,280 –> 00:28:58,280
It’s mechanical.
671
00:28:58,280 –> 00:29:02,440
The moment you expose dataverse directly to external execution runtimes, you multiply
672
00:29:02,440 –> 00:29:07,200
the number of identities, endpoints, and permission models that can touch your core business data.
673
00:29:07,200 –> 00:29:08,520
You’re not integrating.
674
00:29:08,520 –> 00:29:10,320
You’re expanding the blast radius.
675
00:29:10,320 –> 00:29:14,280
And blast radius is what audits actually measure even when they pretend they’re asking
676
00:29:14,280 –> 00:29:15,280
about policies.
677
00:29:15,280 –> 00:29:16,400
So the rule is simple.
678
00:29:16,400 –> 00:29:20,680
The execution tier talks to a controlled interface, not to dataverse endpoints.
679
00:29:20,680 –> 00:29:23,440
Power platform orchestrates access to dataverse.
680
00:29:23,440 –> 00:29:26,400
And as your governs the interface that crosses tiers.
681
00:29:26,400 –> 00:29:30,520
That means the Python tier should not be running an SDK that casually reads whole tables
682
00:29:30,520 –> 00:29:31,520
because it can.
683
00:29:31,520 –> 00:29:35,240
It should be calling a service contract that gives it only the minimum payload needed to
684
00:29:35,240 –> 00:29:36,240
compute.
685
00:29:36,240 –> 00:29:40,440
If the execution tier needs 12 fields, it gets 12 fields, not the record, not the table,
686
00:29:40,440 –> 00:29:42,800
not a just in case dump because it was convenient.
687
00:29:42,800 –> 00:29:43,800
This might seem restrictive.
688
00:29:43,800 –> 00:29:44,800
It’s not.
689
00:29:44,800 –> 00:29:48,640
It’s what keeps your tenant from turning into an accidental data lake full of copies, caches,
690
00:29:48,640 –> 00:29:50,280
and half deleted exports.
691
00:29:50,280 –> 00:29:52,000
Think in terms of the authorization graph.
692
00:29:52,000 –> 00:29:56,280
When a flow reads dataverse, it does so through a governed identity and an environment
693
00:29:56,280 –> 00:29:58,680
boundary that your platform team can see.
694
00:29:58,680 –> 00:30:02,760
When a random script reads dataverse, you’ve shifted access into places you don’t inventory
695
00:30:02,760 –> 00:30:08,280
well, developer machines, notebooks, build agents, containers, and service principles that
696
00:30:08,280 –> 00:30:11,560
end up overprivileged because it kept failing.
697
00:30:11,560 –> 00:30:13,200
That is the erosion path.
698
00:30:13,200 –> 00:30:14,520
Complexity creates friction.
699
00:30:14,520 –> 00:30:17,800
Friction creates privilege escalation and privilege escalation becomes permanent.
700
00:30:17,800 –> 00:30:19,760
The clean pattern is mediated access.
701
00:30:19,760 –> 00:30:23,760
Power automate or a governed API tier reads from dataverse and sends a narrow payload to
702
00:30:23,760 –> 00:30:25,400
Python for execution.
703
00:30:25,400 –> 00:30:29,400
Then returns a narrow result, normalized data, validation outcomes, dedupe decisions,
704
00:30:29,400 –> 00:30:33,000
inference scores, whatever the use case requires, then the orchestration tier commits back to
705
00:30:33,000 –> 00:30:35,200
dataverse through its governed pathways.
706
00:30:35,200 –> 00:30:36,520
This is not about performance.
707
00:30:36,520 –> 00:30:39,600
It’s about control because commit is where damage happens.
708
00:30:39,600 –> 00:30:44,360
Reads can leak, rights can corrupt, so the architecture has to make rights boring, predictable
709
00:30:44,360 –> 00:30:45,720
and policy bound.
710
00:30:45,720 –> 00:30:50,600
Dataverse rights should happen through patterns you can audit, throttle, and correlate.
711
00:30:50,600 –> 00:30:53,280
Not through scripts that mostly follow the rules.
712
00:30:53,280 –> 00:30:57,480
The other part of the data boundary is DLP alignment, and this is where most organizations
713
00:30:57,480 –> 00:31:00,160
get exposed while thinking they’re protected.
714
00:31:00,160 –> 00:31:03,400
DLP policies and power platform can restrict connector pairings.
715
00:31:03,400 –> 00:31:07,160
They can prevent dataverse data from flowing into consumer connectors.
716
00:31:07,160 –> 00:31:11,520
But if you let Python pull data directly from dataverse, then DLP becomes irrelevant.
717
00:31:11,520 –> 00:31:15,160
The data has already crossed the boundary into an uncontrolled runtime.
718
00:31:15,160 –> 00:31:16,560
From there it can go anywhere.
719
00:31:16,560 –> 00:31:21,000
Files, outbound APIs, third-party libraries, random storage accounts, or temporary folders
720
00:31:21,000 –> 00:31:22,960
that somehow last for years.
721
00:31:22,960 –> 00:31:26,480
So if you care about DLP, you have to care about where the data exits.
722
00:31:26,480 –> 00:31:30,160
The execution tier must receive only what it needs, and it must operate inside the same
723
00:31:30,160 –> 00:31:33,680
governance story, identity, network containment, and logged egress.
724
00:31:33,680 –> 00:31:37,400
Otherwise DLP is theater applied after the data already left.
725
00:31:37,400 –> 00:31:41,800
And yes, there are legitimate cases where pro developers will say, “But the dataverse SDK
726
00:31:41,800 –> 00:31:43,320
for Python exists.”
727
00:31:43,320 –> 00:31:46,520
Or, “We can use service to service authentication.”
728
00:31:46,520 –> 00:31:48,920
Or “We can lock it down with least privilege.”
729
00:31:48,920 –> 00:31:49,920
Those are tools.
730
00:31:49,920 –> 00:31:50,920
They are not a boundary.
731
00:31:50,920 –> 00:31:55,000
Then architectural rule that survives staff turnover, project pressure, and the next urgent
732
00:31:55,000 –> 00:31:56,000
request.
733
00:31:56,000 –> 00:31:59,320
If your boundary depends on every engineer remembering to do least privilege perfectly,
734
00:31:59,320 –> 00:32:00,320
you don’t have a boundary.
735
00:32:00,320 –> 00:32:01,400
You have good intentions.
736
00:32:01,400 –> 00:32:04,640
The hybrid mandate treats dataverse like a protected core.
737
00:32:04,640 –> 00:32:06,840
It stays inside the power platform trust envelope.
738
00:32:06,840 –> 00:32:10,780
Everything outside talks to it through explicit contracts that you can version, validate,
739
00:32:10,780 –> 00:32:11,780
and monitor.
740
00:32:11,780 –> 00:32:15,480
That reduces the number of paths into your system of record, and it keeps your data movement
741
00:32:15,480 –> 00:32:17,920
explainable when the inevitable question arrives.
742
00:32:17,920 –> 00:32:19,320
Where does this data go?
743
00:32:19,320 –> 00:32:22,800
So the data boundary is the line that keeps your system coherent.
744
00:32:22,800 –> 00:32:26,000
Dataverse never becomes a public dependency of the execution tier.
745
00:32:26,000 –> 00:32:28,560
Once you accept that the next boundary becomes unavoidable.
746
00:32:28,560 –> 00:32:32,680
If Python talks to a controlled interface, then that interface has to be managed as an
747
00:32:32,680 –> 00:32:35,240
API, not as an ad hoc endpoint.
748
00:32:35,240 –> 00:32:37,400
And that’s where the API boundary enters.
749
00:32:37,400 –> 00:32:40,960
The function gets wrapped in API management, whether you like it or not.
750
00:32:40,960 –> 00:32:45,000
API, boundary, function wrapped in API management.
751
00:32:45,000 –> 00:32:49,120
Once dataverse stops being directly reachable, you need an interface that can carry the
752
00:32:49,120 –> 00:32:50,680
load of that decision.
753
00:32:50,680 –> 00:32:53,840
And this is where most hybrid designs quietly collapse.
754
00:32:53,840 –> 00:32:58,600
They treat the Azure function like an API product, but they operate it like a shared script.
755
00:32:58,600 –> 00:33:02,880
API management exists to stop that drift, not because APM is magical, it isn’t.
756
00:33:02,880 –> 00:33:07,520
It’s because enterprises need a place where policy becomes enforceable, consistently, across
757
00:33:07,520 –> 00:33:08,640
every caller.
758
00:33:08,640 –> 00:33:13,600
If you let every flow call the function endpoint directly, you get the same outcome you always
759
00:33:13,600 –> 00:33:15,400
get in power platform.
760
00:33:15,400 –> 00:33:17,360
Hundreds of slightly different clients.
761
00:33:17,360 –> 00:33:22,160
Each with their own expectations, timeouts, payload quirks and retry behaviors.
762
00:33:22,160 –> 00:33:25,240
And then your service isn’t a service, it’s a compatibility hostage.
763
00:33:25,240 –> 00:33:27,120
APM is the contract boundary.
764
00:33:27,120 –> 00:33:30,160
It’s where the execution tier becomes an actual product.
765
00:33:30,160 –> 00:33:34,200
Versioned endpoints, documented schemers, predictable arrow shapes and policies that don’t depend
766
00:33:34,200 –> 00:33:36,240
on every maker remembering the rules.
767
00:33:36,240 –> 00:33:39,880
It’s also where you centralize throttling and abuse control, so the orchestration tier
768
00:33:39,880 –> 00:33:45,000
can scale without deducing your own back end by accident, because that happens.
769
00:33:45,000 –> 00:33:49,000
Your automated retries are not polite, parallel branches are not polite, applied to each with
770
00:33:49,000 –> 00:33:51,160
concurrency turned on is definitely not polite.
771
00:33:51,160 –> 00:33:54,840
So if you don’t have a choke point, your execution tier will get load patterns that feel
772
00:33:54,840 –> 00:33:59,320
like an attack, except they’re coming from your own tenant with legitimate permissions.
773
00:33:59,320 –> 00:34:01,600
APM gives you a place to enforce.
774
00:34:01,600 –> 00:34:07,640
Rate limits, quotas, header requirements, payload size and response timeouts, not as guidance
775
00:34:07,640 –> 00:34:08,800
as reality.
776
00:34:08,800 –> 00:34:11,800
It also gives you a place to enforce authentication consistently.
777
00:34:11,800 –> 00:34:15,960
You already decided cross tier calls must use enter based workload identity.
778
00:34:15,960 –> 00:34:18,880
APM lets you make that the default behavior.
779
00:34:18,880 –> 00:34:23,800
Validate tokens, validate audiences, reject unknown issuers, reject missing scopes and
780
00:34:23,800 –> 00:34:26,660
do it before the request ever reaches your function runtime.
781
00:34:26,660 –> 00:34:29,240
That distinction matters because functions are execution.
782
00:34:29,240 –> 00:34:33,840
They should spend CPU doing compute, not doing gatekeeping for every caller variation.
783
00:34:33,840 –> 00:34:35,200
You forgot to constrain.
784
00:34:35,200 –> 00:34:38,760
Then there’s the part everyone ignores until the platform turns on them.
785
00:34:38,760 –> 00:34:44,240
Flows live for years, makers copy them, departments fork them, someone saves a template in a team
786
00:34:44,240 –> 00:34:46,800
and suddenly you have 50 clones calling your endpoint.
787
00:34:46,800 –> 00:34:50,600
If your function API changes shape and you don’t have a versioning story, you’ll break
788
00:34:50,600 –> 00:34:53,000
production in places you can’t even find.
789
00:34:53,000 –> 00:34:55,560
APM is where you make versioning boring.
790
00:34:55,560 –> 00:34:57,360
V1 does what it always did.
791
00:34:57,360 –> 00:34:59,400
V2 exists when you need to evolve.
792
00:34:59,400 –> 00:35:03,080
Deprecation becomes a planned life cycle event, not a surprise outage.
793
00:35:03,080 –> 00:35:07,120
And you can instrument which clients still hit V1 so you can actually drive retirement.
794
00:35:07,120 –> 00:35:09,120
That’s governance, not policy documents.
795
00:35:09,120 –> 00:35:13,840
APM also forces contract discipline which is the opposite of just past JSON.
796
00:35:13,840 –> 00:35:16,760
The execution tier should reject ambiguous payloads.
797
00:35:16,760 –> 00:35:18,640
If a field is required, it’s required.
798
00:35:18,640 –> 00:35:20,600
If a schema changed, the caller needs to know.
799
00:35:20,600 –> 00:35:22,600
If an array is too large, fail fast.
800
00:35:22,600 –> 00:35:24,160
If a content type is wrong, reject it.
801
00:35:24,160 –> 00:35:28,800
The point is to stop garbage in from becoming mysterious behavior that you debug at 3am
802
00:35:28,800 –> 00:35:31,560
power platform teams hate this at first because it feels strict.
803
00:35:31,560 –> 00:35:32,760
It’s supposed to.
804
00:35:32,760 –> 00:35:35,200
Strict contracts are what keep orchestration maintainable.
805
00:35:35,200 –> 00:35:39,400
When flows can send anything and the backend tries to guess intent, you’re back to probabilistic
806
00:35:39,400 –> 00:35:40,400
behavior.
807
00:35:40,400 –> 00:35:42,160
You’re back to exceptions being architecture.
808
00:35:42,160 –> 00:35:46,640
APM lets you enforce validation and normalization at the boundary so both sides stay honest.
809
00:35:46,640 –> 00:35:51,440
And yes, APM is also the right place for transformation policies when you absolutely need them.
810
00:35:51,440 –> 00:35:57,120
Rewrite headers, map fields, standardize error responses, even do lightweight filtering.
811
00:35:57,120 –> 00:35:58,120
The rule is simple.
812
00:35:58,120 –> 00:36:00,520
APM enforces interface behavior.
813
00:36:00,520 –> 00:36:02,720
Python executes business compute.
814
00:36:02,720 –> 00:36:05,440
It rebuilds your service logic and policies.
815
00:36:05,440 –> 00:36:07,680
That’s just moving the mess to a different UI.
816
00:36:07,680 –> 00:36:12,920
Finally, APM is how you stop every flow from becoming an API client with custom quirks.
817
00:36:12,920 –> 00:36:15,480
Without APM, makers will do what makers always do.
818
00:36:15,480 –> 00:36:21,280
Set weird timeouts, ignore error codes, pass text, and implement retry logic by adding delays.
819
00:36:21,280 –> 00:36:23,400
With APM, you can publish a single standard.
820
00:36:23,400 –> 00:36:24,400
This is the endpoint.
821
00:36:24,400 –> 00:36:25,400
This is the contract.
822
00:36:25,400 –> 00:36:26,400
This is the auth.
823
00:36:26,400 –> 00:36:27,400
This is the expected response.
824
00:36:27,400 –> 00:36:28,400
This is the error model.
825
00:36:28,400 –> 00:36:30,080
And this is the throttling behavior.
826
00:36:30,080 –> 00:36:32,520
Now your hybrid mandate looks like a system.
827
00:36:32,520 –> 00:36:33,680
It’s not a diagram.
828
00:36:33,680 –> 00:36:34,960
And this is the actual payoff.
829
00:36:34,960 –> 00:36:39,720
APM becomes the layer that lets the back and evolve while orchestration stays stable.
830
00:36:39,720 –> 00:36:44,000
Engineers can patch dependencies, optimize compute or refactor internal modules without asking
831
00:36:44,000 –> 00:36:46,560
makers to rewrite business process logic.
832
00:36:46,560 –> 00:36:47,560
The contract holds.
833
00:36:47,560 –> 00:36:49,480
The orchestration tier keeps coordinating.
834
00:36:49,480 –> 00:36:51,360
The execution tier keeps executing.
835
00:36:51,360 –> 00:36:54,680
But none of this matters if you can’t see failures across tiers.
836
00:36:54,680 –> 00:36:55,840
Governance doesn’t fail loudly.
837
00:36:55,840 –> 00:36:57,640
It fails silently.
838
00:36:57,640 –> 00:37:01,800
So the next boundary is the one that makes incident response deterministic.
839
00:37:01,800 –> 00:37:05,800
A system is a system that’s related logging across power platform, APM, and the execution
840
00:37:05,800 –> 00:37:07,520
tier.
841
00:37:07,520 –> 00:37:10,280
Logging boundary correlates logs across systems.
842
00:37:10,280 –> 00:37:14,520
Logging is where a hybrid architecture stops being a diagram and starts being debuggable.
843
00:37:14,520 –> 00:37:18,720
And most organizations fail here in the most predictable way possible.
844
00:37:18,720 –> 00:37:23,160
Every system logs its own truth in its own format with its own identifiers, and then the
845
00:37:23,160 –> 00:37:26,320
incident bridge call becomes a group project in interpretation.
846
00:37:26,320 –> 00:37:27,840
Power automate has run history.
847
00:37:27,840 –> 00:37:32,320
The PM has request logs, Azure Functions has application inside traces.
848
00:37:32,320 –> 00:37:34,560
Dataverse has audit logs and its own activity telemetry.
849
00:37:34,560 –> 00:37:36,880
They all tell a story and they just don’t tell the same story.
850
00:37:36,880 –> 00:37:39,640
So when a flow run fails, you get the comfortable lie.
851
00:37:39,640 –> 00:37:42,280
The flow failed at the HTTP action.
852
00:37:42,280 –> 00:37:43,280
That’s not a root cause.
853
00:37:43,280 –> 00:37:44,360
That’s a location marker.
854
00:37:44,360 –> 00:37:49,440
The real question is whether the request hit APM, whether APM rejected it on policy, whether
855
00:37:49,440 –> 00:37:53,360
the function code through an exception, whether the function timed out, whether the downstream
856
00:37:53,360 –> 00:37:58,200
call to dataverse was denied, and whether retries created duplicates that are now someone
857
00:37:58,200 –> 00:37:59,680
else’s problem.
858
00:37:59,680 –> 00:38:03,240
If you can’t answer those questions in minutes, you don’t have observability.
859
00:38:03,240 –> 00:38:04,640
You have distributed journaling.
860
00:38:04,640 –> 00:38:07,720
The logging boundary in the hybrid mandate is explicit.
861
00:38:07,720 –> 00:38:13,160
One correlation ID must cross the orchestration tier, the API boundary, the execution tier,
862
00:38:13,160 –> 00:38:15,040
and any governed data operations.
863
00:38:15,040 –> 00:38:19,240
The same identifier shows up everywhere, every time, no exceptions.
864
00:38:19,240 –> 00:38:22,400
Because once you have that, incident response becomes deterministic.
865
00:38:22,400 –> 00:38:27,280
You stop guessing, you stop screenshot archaeology, you stop fighting over whose logs are right.
866
00:38:27,280 –> 00:38:31,520
You query the correlation ID and you see the end-to-end path of the transaction.
867
00:38:31,520 –> 00:38:35,160
So how does this work mechanically without turning into an implementation lecture?
868
00:38:35,160 –> 00:38:36,200
Start in power automate.
869
00:38:36,200 –> 00:38:41,000
The flow generates a correlation ID at the start of the run, not at the HTTP step, not inside
870
00:38:41,000 –> 00:38:42,000
Python.
871
00:38:42,000 –> 00:38:45,920
At the first moment, the orchestration tier decides, work is happening.
872
00:38:45,920 –> 00:38:50,520
That correlation ID becomes a variable and it gets attached to every cross tier call.
873
00:38:50,520 –> 00:38:55,080
First headers, payload fields were appropriate, and any status records you write to data
874
00:38:55,080 –> 00:38:56,080
verse.
875
00:38:56,080 –> 00:38:57,560
Then APIM enforces it.
876
00:38:57,560 –> 00:39:00,840
If the correlation ID header isn’t present, reject the request.
877
00:39:00,840 –> 00:39:03,720
This is the part that feels rude until you remember what you’re buying.
878
00:39:03,720 –> 00:39:06,320
The ability to operate at scale without ambiguity.
879
00:39:06,320 –> 00:39:10,360
APM can also generate one if you want, but the stronger pattern is to let orchestration
880
00:39:10,360 –> 00:39:13,120
originated so it maps cleanly to a flow run.
881
00:39:13,120 –> 00:39:17,760
Next as Zuer functions, the function code reads the correlation ID, sets it as the operation
882
00:39:17,760 –> 00:39:22,200
ID in its telemetry context and logs every meaningful step against it.
883
00:39:22,200 –> 00:39:26,400
Validation outcomes, branch decisions, downstream calls, and exceptions.
884
00:39:26,400 –> 00:39:27,880
Not verbose debug noise.
885
00:39:27,880 –> 00:39:29,840
Evidence then, downstream data operations.
886
00:39:29,840 –> 00:39:33,400
If the function writes to data verse through a governed interface, that interface must also
887
00:39:33,400 –> 00:39:35,280
log with the same correlation ID.
888
00:39:35,280 –> 00:39:39,880
If the orchestration tier writes to data verse directly, it writes the correlation ID into
889
00:39:39,880 –> 00:39:43,440
the record or an associated tracking table so you can type business data to technical
890
00:39:43,440 –> 00:39:44,600
execution.
891
00:39:44,600 –> 00:39:47,760
Now you can answer questions that otherwise turn into weak long post mortems.
892
00:39:47,760 –> 00:39:51,400
How long did the request spend in power automate before it left the orchestration tier?
893
00:39:51,400 –> 00:39:52,400
Did APM throttle it?
894
00:39:52,400 –> 00:39:53,920
And if so, how many times?
895
00:39:53,920 –> 00:39:57,360
Did the function execute or did it fail authentication at the edge?
896
00:39:57,360 –> 00:40:01,080
Did the function time out or did it throw a handled validation error?
897
00:40:01,080 –> 00:40:04,120
Did retries occur and were they idempotent or duplicative?
898
00:40:04,120 –> 00:40:05,200
How large was the payload?
899
00:40:05,200 –> 00:40:07,880
And did it cross the thresholds that trigger platform limits?
900
00:40:07,880 –> 00:40:11,120
Did permission denials occur and which principle got denied?
901
00:40:11,120 –> 00:40:16,200
Those are the metrics that matter, latency, failures, retries, payload size, throttle events,
902
00:40:16,200 –> 00:40:17,680
and authorization denials.
903
00:40:17,680 –> 00:40:21,200
Not because dashboards are fun, but because these signals tell you where architectural erosion
904
00:40:21,200 –> 00:40:22,200
is happening.
905
00:40:22,200 –> 00:40:24,840
And yes, you should push these logs somewhere central.
906
00:40:24,840 –> 00:40:27,360
Azure monitor and application insights are fine.
907
00:40:27,360 –> 00:40:31,120
Sentinel becomes relevant once you care about threat detection and not just troubleshooting.
908
00:40:31,120 –> 00:40:33,800
The product choice matters less than the behavior.
909
00:40:33,800 –> 00:40:38,560
Centralize, correlate, retain, and make it searchable by correlation ID and principle.
910
00:40:38,560 –> 00:40:42,840
This is also where you learn the uncomfortable truth about low-code observability.
911
00:40:42,840 –> 00:40:44,720
Power automate will show you what it did.
912
00:40:44,720 –> 00:40:47,520
It will not show you what your execution tier did.
913
00:40:47,520 –> 00:40:49,200
Your execution tier will show you what it did.
914
00:40:49,200 –> 00:40:51,640
It will not show you what power automate assumed.
915
00:40:51,640 –> 00:40:54,800
Without correlation, those gaps fill with human narratives.
916
00:40:54,800 –> 00:40:56,720
With correlation, they fill with data.
917
00:40:56,720 –> 00:41:00,840
And once you have correlated logs, the rest of the hybrid mandate becomes enforceable.
918
00:41:00,840 –> 00:41:02,160
You can prove boundaries exist.
919
00:41:02,160 –> 00:41:03,880
You can prove calls or authenticated.
920
00:41:03,880 –> 00:41:05,760
You can prove data didn’t move where it shouldn’t.
921
00:41:05,760 –> 00:41:08,000
You can prove which tier failed and why.
922
00:41:08,000 –> 00:41:10,440
That’s what governance looks like when it’s real.
923
00:41:10,440 –> 00:41:12,160
Evidence, not confidence.
924
00:41:12,160 –> 00:41:17,320
Now you can finally define the workflow end to end as a system, not a collection of parts.
925
00:41:17,320 –> 00:41:22,120
Conceptual flow, event, reasoning, orchestration, execution, commit.
926
00:41:22,120 –> 00:41:27,120
Now stitch the tiers together into a single conceptual flow, not because architects love diagrams,
927
00:41:27,120 –> 00:41:31,560
because your incident response team needs a mental model that survives pressure.
928
00:41:31,560 –> 00:41:32,840
The sequence is simple.
929
00:41:32,840 –> 00:41:37,040
Event reasoning, orchestration, execution, commit, five verbs, five places where intent
930
00:41:37,040 –> 00:41:39,040
can drift if you don’t pin it down.
931
00:41:39,040 –> 00:41:40,440
Start with the event.
932
00:41:40,440 –> 00:41:43,360
The event is the moment reality changes and the system notices.
933
00:41:43,360 –> 00:41:48,400
It can be an email arriving with an attachment, a team’s message, a form submission, a
934
00:41:48,400 –> 00:41:53,120
dataverse row being created or modified, a scheduled trigger that checks for late invoices,
935
00:41:53,120 –> 00:41:55,760
expiring contracts or missing compliance attestations.
936
00:41:55,760 –> 00:41:58,800
The event source doesn’t matter what matters is that events are noisy.
937
00:41:58,800 –> 00:42:01,960
They contain malformed inputs, duplicates and human chaos.
938
00:42:01,960 –> 00:42:04,480
So the event isn’t where you do the work.
939
00:42:04,480 –> 00:42:06,600
It’s where you decide whether work should happen.
940
00:42:06,600 –> 00:42:08,320
The decision is the reasoning layer.
941
00:42:08,320 –> 00:42:09,600
Reesoning is not execution.
942
00:42:09,600 –> 00:42:11,400
Reesoning is classification and rooting.
943
00:42:11,400 –> 00:42:14,560
It answers, is this request valid enough to process?
944
00:42:14,560 –> 00:42:15,920
And who owns the outcome?
945
00:42:15,920 –> 00:42:17,000
Do we need an approval?
946
00:42:17,000 –> 00:42:18,600
Which environment does this belong in?
947
00:42:18,600 –> 00:42:20,440
What category of work is this?
948
00:42:20,440 –> 00:42:24,360
Simple automation, high-risk change or something that requires escalation?
949
00:42:24,360 –> 00:42:26,760
This is where power platform earns its keep.
950
00:42:26,760 –> 00:42:29,480
A flow can apply cheap logic fast.
951
00:42:29,480 –> 00:42:32,000
Subject line filters, sender allow lists.
952
00:42:32,000 –> 00:42:33,160
Basic field validation.
953
00:42:33,160 –> 00:42:38,240
A backup of a business owner in dataverse, rooting to an approval or branching based on process state.
954
00:42:38,240 –> 00:42:39,400
Keep it readable.
955
00:42:39,400 –> 00:42:40,720
Keep it explainable.
956
00:42:40,720 –> 00:42:44,560
When a compliance lead asks why a record went down a particular path, the answer should
957
00:42:44,560 –> 00:42:47,160
be visible without reverse engineering Python.
958
00:42:47,160 –> 00:42:51,880
Then comes orchestration, which is the part most people confuse with execution.
959
00:42:51,880 –> 00:42:53,240
Orchestration is coordination over time.
960
00:42:53,240 –> 00:42:54,440
It creates a tracking record.
961
00:42:54,440 –> 00:42:55,720
It sets a correlation ID.
962
00:42:55,720 –> 00:42:57,680
It moves a process from state A to state B.
963
00:42:57,680 –> 00:42:58,680
It informs humans.
964
00:42:58,680 –> 00:42:59,680
It waits.
965
00:42:59,680 –> 00:43:00,960
It retries intentionally.
966
00:43:00,960 –> 00:43:03,120
It escalates when the process sits too long.
967
00:43:03,120 –> 00:43:07,480
It records that something happened even if the execution tier is currently unhealthy.
968
00:43:07,480 –> 00:43:11,200
This is where you enforce that the workflow is the system of record for the process, not
969
00:43:11,200 –> 00:43:13,520
the sidecar script and not the API logs.
970
00:43:13,520 –> 00:43:17,960
If the execution tier dies, the orchestration tier should still know what it asked for, when
971
00:43:17,960 –> 00:43:19,800
it asked for it, and what it’s waiting on.
972
00:43:19,800 –> 00:43:21,960
Now you cross the tier boundary into execution.
973
00:43:21,960 –> 00:43:25,480
The execution is where Python runs, but the key is that it runs as a service call, not
974
00:43:25,480 –> 00:43:26,640
as a vibe.
975
00:43:26,640 –> 00:43:31,160
The orchestration tier sends a bounded payload with a correlation ID and a contract version.
976
00:43:31,160 –> 00:43:35,960
The execution tier validates the payload, performs deterministic compute, and returns structured
977
00:43:35,960 –> 00:43:40,680
results, success, failure type, output data, and peritom errors when it’s batch work.
978
00:43:40,680 –> 00:43:42,600
This is also where identity belongs.
979
00:43:42,600 –> 00:43:46,640
The execution tier should treat the correlation ID as a first class input, so retries don’t
980
00:43:46,640 –> 00:43:47,840
create duplicates.
981
00:43:47,840 –> 00:43:51,080
If you rerun the same request, you should get the same outcome.
982
00:43:51,080 –> 00:43:53,520
Or a clean, already processed response.
983
00:43:53,520 –> 00:43:55,920
Anything else becomes retry storms and data drift.
984
00:43:55,920 –> 00:43:57,240
Then you get to commit.
985
00:43:57,240 –> 00:44:00,120
Commit is where enterprise data changes, and it has to be boring.
986
00:44:00,120 –> 00:44:04,720
It means writes back to dataverse or other systems of record through governed endpoints,
987
00:44:04,720 –> 00:44:07,680
with strict permissions and logged outcomes.
988
00:44:07,680 –> 00:44:10,400
Commit isn’t Python writes wherever it wants.
989
00:44:10,400 –> 00:44:13,360
Commit is the system records results through known paths.
990
00:44:13,360 –> 00:44:16,960
Sometimes the orchestration tier does the commit using native connectors and environment bound
991
00:44:16,960 –> 00:44:17,960
permissions.
992
00:44:17,960 –> 00:44:20,640
Sometimes the execution tier commits through an API boundary.
993
00:44:20,640 –> 00:44:22,920
Either way, the rule stays intact.
994
00:44:22,920 –> 00:44:27,360
Rites happen through interfaces that are authenticated, authorized, and observable.
995
00:44:27,360 –> 00:44:30,560
And finally, the orchestration tier closes the loop.
996
00:44:30,560 –> 00:44:35,440
It updates status, notifies stakeholders, and stores the execution output in a form the
997
00:44:35,440 –> 00:44:36,960
business can actually consume.
998
00:44:36,960 –> 00:44:39,440
Not raw logs, not screenshots, data.
999
00:44:39,440 –> 00:44:40,520
So that’s the sequence.
1000
00:44:40,520 –> 00:44:42,600
Event decides that something might matter.
1001
00:44:42,600 –> 00:44:44,640
Reasoning decides what should happen.
1002
00:44:44,640 –> 00:44:46,320
Orchestration manages the process.
1003
00:44:46,320 –> 00:44:50,720
Execution does deterministic compute, and commit records the outcome safely.
1004
00:44:50,720 –> 00:44:53,920
If you can’t name which tier owns each verb, you don’t have a hybrid model.
1005
00:44:53,920 –> 00:44:55,280
You have cross-system guesswork.
1006
00:44:55,280 –> 00:44:58,720
Now make it tangible because abstract models don’t survive first contact with spreadsheets
1007
00:44:58,720 –> 00:45:00,480
and bulk updates.
1008
00:45:00,480 –> 00:45:04,920
Scenario one, CSV, Excel processing without flow spaghetti.
1009
00:45:04,920 –> 00:45:09,280
This is the scenario that shows up in every enterprise, regardless of how digital the strategy
1010
00:45:09,280 –> 00:45:10,280
deck looks.
1011
00:45:10,280 –> 00:45:15,280
Spreadsheets, finance lives in Excel, operations lives in CSV exports, vendor send reports that
1012
00:45:15,280 –> 00:45:18,720
are really just semi-structured guesses with a header row.
1013
00:45:18,720 –> 00:45:23,320
And somehow all of that becomes a business process with deadlines and consequences.
1014
00:45:23,320 –> 00:45:25,240
For automate can process these files.
1015
00:45:25,240 –> 00:45:27,080
Of course it can, that’s not the debate.
1016
00:45:27,080 –> 00:45:30,840
The debate is what happens after the third small tweak and the fifth edge case and the
1017
00:45:30,840 –> 00:45:32,160
tenth file format.
1018
00:45:32,160 –> 00:45:33,880
That’s basically the same.
1019
00:45:33,880 –> 00:45:35,360
This is where flows become spaghetti.
1020
00:45:35,360 –> 00:45:38,560
A maker builds a flow that triggers when a file lands in SharePoint.
1021
00:45:38,560 –> 00:45:40,040
It lists rows in a table.
1022
00:45:40,040 –> 00:45:41,040
It loops.
1023
00:45:41,040 –> 00:45:42,040
It transforms text.
1024
00:45:42,040 –> 00:45:43,040
It converts date formats.
1025
00:45:43,040 –> 00:45:45,200
It tries to handle commas inside quoted fields.
1026
00:45:45,200 –> 00:45:47,520
It tries to ignore blank rows that aren’t blank.
1027
00:45:47,520 –> 00:45:50,960
It tries to detect the total line someone left at the bottom.
1028
00:45:50,960 –> 00:45:54,840
Then it tries to build error handling inside scopes because a single bad row shouldn’t fail
1029
00:45:54,840 –> 00:45:55,840
the whole run.
1030
00:45:55,840 –> 00:45:59,400
Then someone asks for a summary email with the rows that failed.
1031
00:45:59,400 –> 00:46:03,720
And now you’re building an error report generator inside an orchestration engine.
1032
00:46:03,720 –> 00:46:06,640
This is how you end up with a flow that is both fragile and expensive.
1033
00:46:06,640 –> 00:46:08,880
So in the hybrid mandate, the split is clean.
1034
00:46:08,880 –> 00:46:12,880
The flow owns intake, permission checks, status tracking and notifications.
1035
00:46:12,880 –> 00:46:15,120
It does the work that’s inherently orchestration.
1036
00:46:15,120 –> 00:46:16,520
A file arrived.
1037
00:46:16,520 –> 00:46:17,600
This is the owner.
1038
00:46:17,600 –> 00:46:19,200
This is the process state.
1039
00:46:19,200 –> 00:46:20,640
This needs approval.
1040
00:46:20,640 –> 00:46:22,280
Certify these people.
1041
00:46:22,280 –> 00:46:24,280
Record that we attempted processing.
1042
00:46:24,280 –> 00:46:26,520
Record that processing succeeded or failed.
1043
00:46:26,520 –> 00:46:31,880
The flow does not own passing, normalization, deduplication, validation, logic or report formatting.
1044
00:46:31,880 –> 00:46:33,640
Not because makers aren’t capable.
1045
00:46:33,640 –> 00:46:37,720
Because that logic needs determinism and testability and those are not native properties of a flow
1046
00:46:37,720 –> 00:46:38,720
run history.
1047
00:46:38,720 –> 00:46:43,200
So the flow receives the file, stores it in a governed location and calls the execution
1048
00:46:43,200 –> 00:46:44,200
tier.
1049
00:46:44,200 –> 00:46:47,800
The execution tier Python as a service does what Python is good at.
1050
00:46:47,800 –> 00:46:51,120
It reads the CSV or Excel with a real library built for it.
1051
00:46:51,120 –> 00:46:53,760
It normalizes columns into a defined schema.
1052
00:46:53,760 –> 00:46:55,720
It handles date passing with strict rules.
1053
00:46:55,720 –> 00:46:58,920
It detects duplicates using keys you can explain in unit test.
1054
00:46:58,920 –> 00:47:04,280
It validates every row against an explicit rule set and returns results as structured data.
1055
00:47:04,280 –> 00:47:07,880
Accepted rows, rejected rows, and why each row failed.
1056
00:47:07,880 –> 00:47:10,080
And here’s the part most organizations miss.
1057
00:47:10,080 –> 00:47:12,520
Errors come back as data, not as screenshots.
1058
00:47:12,520 –> 00:47:16,600
In the low-code only approach, a failure becomes an exception with a blob of context.
1059
00:47:16,600 –> 00:47:17,760
It’s hard to aggregate.
1060
00:47:17,760 –> 00:47:21,840
In the hybrid approach, the Python service returns a result contract that looks boring
1061
00:47:21,840 –> 00:47:26,240
on purpose, counts, row-level status, a list of validation messages with line numbers
1062
00:47:26,240 –> 00:47:29,200
or record identifiers and a correlation ID.
1063
00:47:29,200 –> 00:47:30,920
Now the flow can do what it’s actually good at.
1064
00:47:30,920 –> 00:47:32,440
It can root those errors.
1065
00:47:32,440 –> 00:47:37,560
If there are rejections, it can notify the submitter with a formatted summary and a link
1066
00:47:37,560 –> 00:47:41,400
to the rejected rows stored in a controlled table or file.
1067
00:47:41,400 –> 00:47:45,480
If the batch is clean, it can progress the process state and trigger downstream work.
1068
00:47:45,480 –> 00:47:49,760
If the batch fails validation beyond a threshold, it can escalate to a human review step.
1069
00:47:49,760 –> 00:47:54,000
And all of that remains readable in the flow because the heavy logic is not embedded in a
1070
00:47:54,000 –> 00:47:55,440
maze of expressions.
1071
00:47:55,440 –> 00:47:58,000
This is also where you stop leaking data through convenience.
1072
00:47:58,000 –> 00:48:02,960
If the execution tier is a governed service behind APIM authenticated via Entra, contained
1073
00:48:02,960 –> 00:48:07,840
by network boundaries and emitting correlated logs, then processing a spreadsheet no longer
1074
00:48:07,840 –> 00:48:11,720
means dump business data into random files and hope it’s fine.
1075
00:48:11,720 –> 00:48:14,040
It means the file enters a controlled pipeline.
1076
00:48:14,040 –> 00:48:17,160
It can take execution and commit with evidence at every step.
1077
00:48:17,160 –> 00:48:20,520
And the output contract matters more than the implementation.
1078
00:48:20,520 –> 00:48:24,360
Because once you have a stable contract, you can evolve the Python logic without rewriting
1079
00:48:24,360 –> 00:48:25,360
the business process.
1080
00:48:25,360 –> 00:48:27,080
You can add a new column mapping.
1081
00:48:27,080 –> 00:48:28,760
You can update a validation rule.
1082
00:48:28,760 –> 00:48:30,040
You can patch a dependency.
1083
00:48:30,040 –> 00:48:31,360
You can optimize performance.
1084
00:48:31,360 –> 00:48:32,520
The flow doesn’t change.
1085
00:48:32,520 –> 00:48:34,920
The process owners don’t have to relearn the automation.
1086
00:48:34,920 –> 00:48:37,320
The orchestration tier stays stable while execution improves.
1087
00:48:37,320 –> 00:48:39,160
And that’s the actual maturity move.
1088
00:48:39,160 –> 00:48:41,000
Not we used Python.
1089
00:48:41,000 –> 00:48:45,080
We separated orchestration from execution and we made the boundary explicit.
1090
00:48:45,080 –> 00:48:49,000
So the spreadsheet scenario stops being a maker right of passage and becomes a governed
1091
00:48:49,000 –> 00:48:53,080
service pattern, flow coordinates, Python computes, Azure enforces.
1092
00:48:53,080 –> 00:48:56,760
And once you’ve done it for CSV and Excel, the next failure mode becomes obvious.
1093
00:48:56,760 –> 00:48:58,000
It’s not formatting.
1094
00:48:58,000 –> 00:49:00,240
It’s scale.
1095
00:49:00,240 –> 00:49:04,560
bulk updates, throttles, partial success and the classic enterprise question.
1096
00:49:04,560 –> 00:49:08,200
Can we do 10,000 of these by tomorrow without corrupting our data?
1097
00:49:08,200 –> 00:49:12,360
Inario 2, bulk data verse updates with deterministic validation.
1098
00:49:12,360 –> 00:49:17,440
bulk updates are where power automates it worked in testing story usually ends.
1099
00:49:17,440 –> 00:49:19,360
Not because flows can’t update data verse.
1100
00:49:19,360 –> 00:49:20,360
They can.
1101
00:49:20,360 –> 00:49:24,360
The failure happens when you move from dozens of records to thousands and the platform stops
1102
00:49:24,360 –> 00:49:29,640
behaving like a friendly assistant and starts behaving like a rate limited distributed system.
1103
00:49:29,640 –> 00:49:30,640
Because that’s what it is.
1104
00:49:30,640 –> 00:49:32,720
The usual pattern is painfully consistent.
1105
00:49:32,720 –> 00:49:36,520
Someone builds a flow that queries data verse for a set of rows, then runs an apply to
1106
00:49:36,520 –> 00:49:41,400
each, then does an update a row action, maybe with concurrency turned on to speed it up and
1107
00:49:41,400 –> 00:49:45,080
then adds a couple scopes with run after conditions to catch failures.
1108
00:49:45,080 –> 00:49:46,600
It ships, it runs.
1109
00:49:46,600 –> 00:49:48,000
It even succeeds a few times.
1110
00:49:48,000 –> 00:49:53,280
Then scale shows up, throttling shows up, intermittent connector errors show up, runs timeout,
1111
00:49:53,280 –> 00:49:54,640
retries kick in.
1112
00:49:54,640 –> 00:49:58,640
Some updates succeed some fail and the flow has no coherent concept of rollback.
1113
00:49:58,640 –> 00:50:02,800
Now you have partial success with no deterministic replay strategy, which is another way of saying
1114
00:50:02,800 –> 00:50:04,880
you have data drift with a progress bar.
1115
00:50:04,880 –> 00:50:08,600
And the real damage isn’t the failures, it’s the ambiguity when someone asks which records
1116
00:50:08,600 –> 00:50:12,000
were updated, the answer turns into, well, mostly.
1117
00:50:12,000 –> 00:50:14,040
That’s not acceptable in the system of record.
1118
00:50:14,040 –> 00:50:18,720
So the hybrid mandate treats bulk updates as an execution tier problem, not an orchestration
1119
00:50:18,720 –> 00:50:19,720
tier hobby.
1120
00:50:19,720 –> 00:50:21,120
Here’s what stays in the flow.
1121
00:50:21,120 –> 00:50:25,880
In take of the request, approval if it’s a high impact change, creation of a tracking record
1122
00:50:25,880 –> 00:50:28,760
in data verse and communication to stakeholders.
1123
00:50:28,760 –> 00:50:33,760
The flow also decides the boundary conditions, which table, which segment, which job type,
1124
00:50:33,760 –> 00:50:37,320
which correlation idea and what done means, the flow owns the business meaning.
1125
00:50:37,320 –> 00:50:41,160
Then it calls Python as a service and Python does two things that flows are structurally
1126
00:50:41,160 –> 00:50:44,560
bad at, deterministic validation and deterministic batching.
1127
00:50:44,560 –> 00:50:45,840
Start with validation.
1128
00:50:45,840 –> 00:50:50,160
Before Python writes anything, it validates the entire candidate set, not one row at a time,
1129
00:50:50,160 –> 00:50:54,880
mid loop, with half the records already committed, the execution tier pulls the necessary fields
1130
00:50:54,880 –> 00:51:00,080
through a controlled interface, applies strict rules and produces a validation report.
1131
00:51:00,080 –> 00:51:03,600
Counts, categories of failure and per record reasons.
1132
00:51:03,600 –> 00:51:07,360
This is where you stop confusing update logic with data quality.
1133
00:51:07,360 –> 00:51:11,440
If you’re about to update 10,000 records, you don’t want to discover on record 7,000 Simp
1134
00:51:11,440 –> 00:51:16,280
1.32 that the data violates a rule and now you’re in the middle of a half applied change.
1135
00:51:16,280 –> 00:51:18,680
Validation first is what makes the operation reversible.
1136
00:51:18,680 –> 00:51:21,320
You can reject the whole job before it mutates reality.
1137
00:51:21,320 –> 00:51:22,320
Then batching.
1138
00:51:22,320 –> 00:51:24,320
Python controls how rights happen.
1139
00:51:24,320 –> 00:51:27,720
Chunk sizes back off retry strategy and id impotency keys.
1140
00:51:27,720 –> 00:51:33,000
It writes in batches you can reason about and it records outcomes per batch and per record.
1141
00:51:33,000 –> 00:51:35,840
If a batch fails, you know exactly which records were in it.
1142
00:51:35,840 –> 00:51:40,040
If a retry happens, it doesn’t create duplicate updates because the execution tier treats the
1143
00:51:40,040 –> 00:51:44,600
correlation id plus record identity as a first class id impotency input.
1144
00:51:44,600 –> 00:51:45,920
That’s the deterministic part.
1145
00:51:45,920 –> 00:51:50,320
The same job produces the same outcomes even under retries, even under throttling, even
1146
00:51:50,320 –> 00:51:52,120
under transient failures.
1147
00:51:52,120 –> 00:51:55,040
And now the critical governance rule from earlier stays intact.
1148
00:51:55,040 –> 00:51:57,840
No direct external dataverse exposure.
1149
00:51:57,840 –> 00:52:02,040
Python doesn’t get to talk to dataverse, however at once, just because it’s back end code.
1150
00:52:02,040 –> 00:52:03,920
You still enforce the mediated pattern.
1151
00:52:03,920 –> 00:52:08,600
The execution tier writes through governed endpoints that might be an API behind APIM that
1152
00:52:08,600 –> 00:52:12,080
performs the rights with a controlled identity and logs every operation.
1153
00:52:12,080 –> 00:52:16,200
Or it might be the orchestration tier doing the final commit based on the execution tiers
1154
00:52:16,200 –> 00:52:17,200
output.
1155
00:52:17,200 –> 00:52:20,480
Either way, you don’t let bulk mutation become a free for all just because the code is in
1156
00:52:20,480 –> 00:52:24,840
Python because bulk mutation is where least privilege gets murdered first.
1157
00:52:24,840 –> 00:52:28,160
Engineers get tired of permission errors, so they grant broad roles.
1158
00:52:28,160 –> 00:52:29,400
Makers get tired of failures.
1159
00:52:29,400 –> 00:52:31,280
So they ask for exceptions.
1160
00:52:31,280 –> 00:52:33,320
It’s become permanent entropy wins.
1161
00:52:33,320 –> 00:52:38,240
So you design the right path to be narrow by default, specific tables, specific actions,
1162
00:52:38,240 –> 00:52:40,760
specific scopes and audited principles.
1163
00:52:40,760 –> 00:52:44,240
Now look at what becomes possible once the execution tier owns the bulk job.
1164
00:52:44,240 –> 00:52:50,800
You can return per record status as actual data, updated, skipped, rejected, already compliant,
1165
00:52:50,800 –> 00:52:52,160
conflict detected, and why.
1166
00:52:52,160 –> 00:52:54,960
You can store that in a dataverse table as the job ledger.
1167
00:52:54,960 –> 00:52:58,480
You can produce a human readable summary for the business, but you still keep machine
1168
00:52:58,480 –> 00:53:00,320
readable truth for incident response.
1169
00:53:00,320 –> 00:53:04,200
And you can do the one thing enterprises always pretend they don’t need until they do.
1170
00:53:04,200 –> 00:53:05,200
Prove what happened.
1171
00:53:05,200 –> 00:53:06,800
Not the flow ran successfully.
1172
00:53:06,800 –> 00:53:11,280
What records changed, what values changed, who authorized it, what job produced it, and
1173
00:53:11,280 –> 00:53:16,920
what correlation ID ties every step together across flow, APM and function logs.
1174
00:53:16,920 –> 00:53:19,480
That’s how bulk operations stop being terrifying.
1175
00:53:19,480 –> 00:53:22,080
The flow becomes the request and approval layer.
1176
00:53:22,080 –> 00:53:25,200
Python becomes the deterministic execution engine.
1177
00:53:25,200 –> 00:53:30,040
Azure becomes the enforcement layer that makes identity network and logging non-negotiable.
1178
00:53:30,040 –> 00:53:33,760
And once you’ve solved bulk updates, the next question shows up immediately, usually from
1179
00:53:33,760 –> 00:53:37,160
the same teams that caused the bulk update problem in the first place.
1180
00:53:37,160 –> 00:53:39,960
They want to add just a little AI to the process.
1181
00:53:39,960 –> 00:53:45,600
That’s where things go from expensive to unpredictable if you don’t keep the same tier boundaries.
1182
00:53:45,600 –> 00:53:46,600
Scenario 3.
1183
00:53:46,600 –> 00:53:49,480
ML inference as a govern service, not a maker experiment.
1184
00:53:49,480 –> 00:53:54,920
AI is where the hybrid mandate gets tested because AI tempts people into skipping architecture.
1185
00:53:54,920 –> 00:54:00,240
A maker sees an action that can call an LLM, drops it into a flow, and suddenly the workflow thinks.
1186
00:54:00,240 –> 00:54:02,200
It demos well, it even ships.
1187
00:54:02,200 –> 00:54:04,520
Then finance asks why the monthly bill doubled.
1188
00:54:04,520 –> 00:54:06,840
Legal asks how decisions get explained.
1189
00:54:06,840 –> 00:54:10,520
Security asks where prompts and outputs went, and the business asks the only question that
1190
00:54:10,520 –> 00:54:14,120
matters, why did the same input produce a different result this week?
1191
00:54:14,120 –> 00:54:15,120
This is the risk.
1192
00:54:15,120 –> 00:54:19,880
Embedding inference directly in flows turns cost, behavior, and governance into a probabilistic
1193
00:54:19,880 –> 00:54:20,880
mess.
1194
00:54:20,880 –> 00:54:23,920
The orchestration tier was never designed to be your model runtime, your prompt management
1195
00:54:23,920 –> 00:54:25,440
system, and your safety layer.
1196
00:54:25,440 –> 00:54:28,680
When you force it to be, you get conditional chaos with a token budget.
1197
00:54:28,680 –> 00:54:31,320
So the rule stays consistent with everything else.
1198
00:54:31,320 –> 00:54:34,280
Infrance belongs in the execution tier, not in the orchestration tier.
1199
00:54:34,280 –> 00:54:35,280
The Y is simple.
1200
00:54:35,280 –> 00:54:37,520
ML inference is compute with consequences.
1201
00:54:37,520 –> 00:54:41,480
It needs deterministic rappers even when the model itself is stochastic.
1202
00:54:41,480 –> 00:54:42,480
It needs versioning.
1203
00:54:42,480 –> 00:54:43,480
It needs guardrails.
1204
00:54:43,480 –> 00:54:45,400
It needs auditable inputs and outputs.
1205
00:54:45,400 –> 00:54:48,960
And it needs a place where engineers can fix it without opening 50 flows and praying they
1206
00:54:48,960 –> 00:54:50,560
all use the same prompt.
1207
00:54:50,560 –> 00:54:53,680
In the hybrid pattern, power automate still does what it’s good at.
1208
00:54:53,680 –> 00:54:55,400
It roots the business process.
1209
00:54:55,400 –> 00:54:59,520
It decides when inference should happen, who is allowed to request it, what record it’s
1210
00:54:59,520 –> 00:55:01,280
tied to, and what happens next.
1211
00:55:01,280 –> 00:55:05,440
It does not own the prompt, the retry logic, or the passing of untrusted model output.
1212
00:55:05,440 –> 00:55:06,440
That’s execution.
1213
00:55:06,440 –> 00:55:11,280
So the flow calls a Python service behind APIM, authenticated via Entra, with network
1214
00:55:11,280 –> 00:55:13,680
containment and correlated logging.
1215
00:55:13,680 –> 00:55:15,820
Same as the CSV and bulk update scenarios.
1216
00:55:15,820 –> 00:55:17,440
The only difference is the workload.
1217
00:55:17,440 –> 00:55:21,320
Instead of passing files or batching updates, Python is invoking a model preparing features
1218
00:55:21,320 –> 00:55:22,880
and returning stable outputs.
1219
00:55:22,880 –> 00:55:24,640
Here’s what Python does that flows shouldn’t.
1220
00:55:24,640 –> 00:55:26,400
First, input shaping.
1221
00:55:26,400 –> 00:55:32,000
Most AI in flows failures start with garbage inputs, unbounded text, missing context, sensitive
1222
00:55:32,000 –> 00:55:36,600
fields accidentally included, or random formatting that makes the model behave differently.
1223
00:55:36,600 –> 00:55:39,000
The Python tier normalizes and constraints input.
1224
00:55:39,000 –> 00:55:45,120
It can trim, redact, classify, and reject payloads before they ever hit a model endpoint.
1225
00:55:45,120 –> 00:55:46,120
That’s not optional.
1226
00:55:46,120 –> 00:55:47,120
That’s your safety boundary.
1227
00:55:47,120 –> 00:55:50,080
Second, prompt and configuration versioning.
1228
00:55:50,080 –> 00:55:51,800
Infraints isn’t just call the model.
1229
00:55:51,800 –> 00:55:55,720
It’s a specific prompt template with a specific system message, with specific tool settings,
1230
00:55:55,720 –> 00:56:00,160
with specific temperature and max tokens, and often with specific grounding data.
1231
00:56:00,160 –> 00:56:04,440
If that configuration lives inside a flow action, you’ve turned prompt engineering into a distributed
1232
00:56:04,440 –> 00:56:06,480
configuration drift problem.
1233
00:56:06,480 –> 00:56:09,280
Every copied flow becomes its own model behavior fork.
1234
00:56:09,280 –> 00:56:12,440
Nobody can answer which version is running where entropy wins again.
1235
00:56:12,440 –> 00:56:15,920
So the execution tier owns prompt versions like code artifacts.
1236
00:56:15,920 –> 00:56:18,920
Version identifiers become part of the response contract.
1237
00:56:18,920 –> 00:56:20,920
And the business asks why behavior changed?
1238
00:56:20,920 –> 00:56:22,200
You don’t argue about vibes.
1239
00:56:22,200 –> 00:56:24,560
You point to a version and a change record.
1240
00:56:24,560 –> 00:56:27,960
Third, guard rails and deterministic post processing.
1241
00:56:27,960 –> 00:56:31,160
Model outputs are not structured until you force them to be.
1242
00:56:31,160 –> 00:56:34,760
Flows tend to treat model text like truth and then pass it with expressions that break
1243
00:56:34,760 –> 00:56:36,680
the moment the model gets creative.
1244
00:56:36,680 –> 00:56:41,840
The Python tier can enforce strict output schemers, validate fields, reject malformed results,
1245
00:56:41,840 –> 00:56:44,240
and apply deterministic rules that the business can audit.
1246
00:56:44,240 –> 00:56:46,680
The model can suggest the service decides what counts.
1247
00:56:46,680 –> 00:56:49,280
The uncomfortable truth executives need to hear.
1248
00:56:49,280 –> 00:56:50,920
AI doesn’t replace policy.
1249
00:56:50,920 –> 00:56:55,120
AI needs policy codified because otherwise it becomes a liability generator.
1250
00:56:55,120 –> 00:56:56,320
So what comes back to the flow?
1251
00:56:56,320 –> 00:56:57,320
Not raw text.
1252
00:56:57,320 –> 00:56:59,400
Not here’s the model’s opinion.
1253
00:56:59,400 –> 00:57:02,960
The execution tier returns stable bounded outputs.
1254
00:57:02,960 –> 00:57:08,080
A classification label, a confident score if you choose to expose it, a set of extracted fields,
1255
00:57:08,080 –> 00:57:11,480
a decision recommendation with a reason code and any warnings.
1256
00:57:11,480 –> 00:57:15,320
If the model can’t comply with the schema, the service returns a failure type.
1257
00:57:15,320 –> 00:57:20,280
The orchestration tier can root, retry, human review or reject.
1258
00:57:20,280 –> 00:57:22,640
Now you get the enterprise behaviors you actually want.
1259
00:57:22,640 –> 00:57:26,960
Cost becomes governable because APM can throttle and you can measure token usage at the service
1260
00:57:26,960 –> 00:57:29,760
boundary instead of hiding it in flow runs.
1261
00:57:29,760 –> 00:57:34,560
Behavior becomes governable because prompts and passing live in one place with version control.
1262
00:57:34,560 –> 00:57:39,120
Auditability becomes possible because you can log inputs, outputs and config versions
1263
00:57:39,120 –> 00:57:42,720
with correlation IDs tied back to the flow run and the dataverse record.
1264
00:57:42,720 –> 00:57:47,480
And you can finally separate AI experimentation from AI in production without pretending
1265
00:57:47,480 –> 00:57:48,800
makers won’t experiment.
1266
00:57:48,800 –> 00:57:50,520
They will, they should.
1267
00:57:50,520 –> 00:57:54,920
But experiments belong in a green zone with controls, not in production flows that approve
1268
00:57:54,920 –> 00:57:59,840
payments, update customer records or trigger compliance actions.
1269
00:57:59,840 –> 00:58:02,600
The hybrid mandate doesn’t ban AI in power platform.
1270
00:58:02,600 –> 00:58:07,440
It contains it.flowstays orchestration, python does execution, Azure enforces governance.
1271
00:58:07,440 –> 00:58:12,000
And inference becomes a service with contracts, boundaries and evidence rather than a maker
1272
00:58:12,000 –> 00:58:16,200
experiment that slowly turns into policy drift with an invoice.
1273
00:58:16,200 –> 00:58:20,520
Scaling reality, limits, throttles and the conditional chaos tax.
1274
00:58:20,520 –> 00:58:24,480
Scale is where your architecture stops being an opinion and starts being a physics problem.
1275
00:58:24,480 –> 00:58:28,880
Power automate has run limits, connectors have throttles, dataverse has service protection
1276
00:58:28,880 –> 00:58:34,080
limits, APM has quotas, functions have execution timeouts, none of these are negotiable and none
1277
00:58:34,080 –> 00:58:37,080
of them care that a VP needs the workflow by Friday.
1278
00:58:37,080 –> 00:58:40,880
So when an automation succeeds and gets adopted it immediately becomes a scaling test
1279
00:58:40,880 –> 00:58:42,560
you didn’t design for.
1280
00:58:42,560 –> 00:58:48,160
Volume rises, concurrency rises, payload sizes creep up because someone adds just one more
1281
00:58:48,160 –> 00:58:49,160
field.
1282
00:58:49,160 –> 00:58:52,520
And then the platform does what distributed systems always do.
1283
00:58:52,520 –> 00:58:56,720
It applies back pressure, starts rejecting calls and forces you to learn the difference between
1284
00:58:56,720 –> 00:58:59,440
a deterministic system and a probabilistic one.
1285
00:58:59,440 –> 00:59:01,200
Here’s what most people miss.
1286
00:59:01,200 –> 00:59:03,560
Throttling doesn’t just slow you down, it changes behavior.
1287
00:59:03,560 –> 00:59:06,200
A flow that hits connector limits doesn’t fail cleanly.
1288
00:59:06,200 –> 00:59:10,400
It retries, it delays, it sometimes partially completes depending on where it hits the limit.
1289
00:59:10,400 –> 00:59:14,000
And because many flows don’t implement identity, retries don’t replay safely.
1290
00:59:14,000 –> 00:59:18,000
They duplicate work, they create conflicting updates, they send duplicate emails, they create
1291
00:59:18,000 –> 00:59:21,480
double approvals, they write the same record twice with two different values depending
1292
00:59:21,480 –> 00:59:23,360
on what data changed between attempts.
1293
00:59:23,360 –> 00:59:25,080
That’s the conditional chaos tax.
1294
00:59:25,080 –> 00:59:29,000
Not because power platform is unreliable, because your design assumed linear execution in
1295
00:59:29,000 –> 00:59:31,720
a world that enforces distributed constraints.
1296
00:59:31,720 –> 00:59:35,960
So treat scaling as a first class boundary decision, not a performance afterthought.
1297
00:59:35,960 –> 00:59:37,880
The orchestration tier needs to stay lean.
1298
00:59:37,880 –> 00:59:41,440
That is not a preference, it’s the only way the system remains survivable when adoption
1299
00:59:41,440 –> 00:59:42,600
doubles.
1300
00:59:42,600 –> 00:59:46,520
Every extra action in a flow is an additional failure surface.
1301
00:59:46,520 –> 00:59:50,560
Another timeout, another connector dependency, another retry path, another place where errors
1302
00:59:50,560 –> 00:59:53,280
can be swallowed and re-emitted as unknown.
1303
00:59:53,280 –> 00:59:57,040
And yes, people will argue that low code makes it easy to add steps.
1304
00:59:57,040 –> 01:00:00,720
That’s exactly the problem, it’s easy to add steps that become permanent, it’s easy to
1305
01:00:00,720 –> 01:00:05,000
add exceptions that become policy, it’s easy to keep shipping until you have a flow that
1306
01:00:05,000 –> 01:00:10,000
is effectively a data pipeline with a UI and those fail in slow, expensive, non-deterministic
1307
01:00:10,000 –> 01:00:11,000
ways.
1308
01:00:11,000 –> 01:00:15,000
So the hybrid mandate applies the same pressure as before, move compute out, keep coordination
1309
01:00:15,000 –> 01:00:16,000
in.
1310
01:00:16,000 –> 01:00:19,800
If you’re doing bulk operations, don’t loop through 10,000 records in power automate because
1311
01:00:19,800 –> 01:00:20,800
you can.
1312
01:00:20,800 –> 01:00:24,800
You will hit limits and the work around engineering will turn into the real logic.
1313
01:00:24,800 –> 01:00:29,240
Put the bulk work in Python behind APIM where you can control batching, apply back off and
1314
01:00:29,240 –> 01:00:31,160
implement idempotency properly.
1315
01:00:31,160 –> 01:00:36,720
If you’re doing heavy transforms, don’t pass and normalize in a flow because it’s just strings.
1316
01:00:36,720 –> 01:00:41,400
That turns into nested loops, fragile expressions and a debugging model that depends on run
1317
01:00:41,400 –> 01:00:42,960
history archaeology.
1318
01:00:42,960 –> 01:00:47,320
Do it in the execution tier where you can test it, version it and run it deterministically.
1319
01:00:47,320 –> 01:00:50,920
And when you do keep orchestration in the flow, you still need to respect the platform’s
1320
01:00:50,920 –> 01:00:51,920
shape.
1321
01:00:51,920 –> 01:00:53,600
Retrieves should be intentional, not accidental.
1322
01:00:53,600 –> 01:00:57,800
If a call fails, you should know whether you’re retrying because it was transient or because
1323
01:00:57,800 –> 01:01:00,080
you hit a quarter that won’t clear for an hour.
1324
01:01:00,080 –> 01:01:04,840
That means your execution tier needs failure types that the orchestration tier can root,
1325
01:01:04,840 –> 01:01:10,400
throttled, unauthorized, validation error, downstream unavailable timeout.
1326
01:01:10,400 –> 01:01:13,680
If everything comes back as 500, the flow can’t behave intelligently.
1327
01:01:13,680 –> 01:01:16,640
It will just try again until it makes the situation worse.
1328
01:01:16,640 –> 01:01:18,280
This is where APIM earns its keep again.
1329
01:01:18,280 –> 01:01:21,840
You throttle at the edge, you don’t let a thousand parallel flows stampede the back end
1330
01:01:21,840 –> 01:01:24,040
because someone turned on concurrency.
1331
01:01:24,040 –> 01:01:26,200
You apply quotas per client identity.
1332
01:01:26,200 –> 01:01:30,280
You enforce payload limits so you don’t get surprised 20 metabyte JSON bodies because someone
1333
01:01:30,280 –> 01:01:33,480
decided to send the entire spreadsheet to be safe.
1334
01:01:33,480 –> 01:01:38,240
You reject early, consistently and with a reason code, the orchestration tier can understand.
1335
01:01:38,240 –> 01:01:40,040
And when you need real scale, you queue.
1336
01:01:40,040 –> 01:01:41,040
Cues aren’t trendy.
1337
01:01:41,040 –> 01:01:45,520
They’re how you turn bursty, user-driven orchestration into steady, governable execution.
1338
01:01:45,520 –> 01:01:46,760
The flow submits a job.
1339
01:01:46,760 –> 01:01:49,800
The execution tier pulls and processes at a controlled rate.
1340
01:01:49,800 –> 01:01:51,840
The flow track state and notifies humans.
1341
01:01:51,840 –> 01:01:55,720
That’s orchestration behaving like orchestration instead of pretending to be a compute engine.
1342
01:01:55,720 –> 01:02:00,960
Now the cost part because cost is where executives suddenly develop strong opinions about architecture.
1343
01:02:00,960 –> 01:02:04,760
Power automate costs scale with runs and premium connectors.
1344
01:02:04,760 –> 01:02:07,160
Execution tier costs scale with compute and throughput.
1345
01:02:07,160 –> 01:02:11,640
If you keep pushing compute into flows, you pay for orchestration to do execution poorly.
1346
01:02:11,640 –> 01:02:16,200
And if you push compute into Python services, you pay for execution to do execution well.
1347
01:02:16,200 –> 01:02:20,120
The hybrid mandate is the only model that lets you choose deliberately which cost curve
1348
01:02:20,120 –> 01:02:21,440
you want.
1349
01:02:21,440 –> 01:02:22,880
Scaling doesn’t reward optimism.
1350
01:02:22,880 –> 01:02:24,120
It rewards boundaries.
1351
01:02:24,120 –> 01:02:28,120
And if you don’t enforce those boundaries early, you’ll enforce them later under incident
1352
01:02:28,120 –> 01:02:30,800
pressure with angry stakeholders and unclear ownership.
1353
01:02:30,800 –> 01:02:35,240
That’s the most expensive way to learn platform limits, so treat limits and throttles as architectural
1354
01:02:35,240 –> 01:02:40,960
inputs designed for back pressure, enforce id-impotency, throttle at APIM.
1355
01:02:40,960 –> 01:02:43,440
Queue when volume isn’t polite.
1356
01:02:43,440 –> 01:02:49,200
Otherwise success becomes a tax you pay in conditional C, alum discipline, versioned contracts,
1357
01:02:49,200 –> 01:02:50,680
not version screenshots.
1358
01:02:50,680 –> 01:02:53,920
Once the hybrid pattern works, the enterprise does what it always does.
1359
01:02:53,920 –> 01:02:58,360
It promotes the prototype to production by continuing to rely on it, not through a formal
1360
01:02:58,360 –> 01:03:00,040
release, through repetition.
1361
01:03:00,040 –> 01:03:04,120
And that’s where ALM either shows up as architecture or disappears as ceremony.
1362
01:03:04,120 –> 01:03:08,840
Power platform teams often treat life cycle management as export the flow and import the flow.
1363
01:03:08,840 –> 01:03:10,600
That’s not life cycle management.
1364
01:03:10,600 –> 01:03:14,040
That’s file movement, it preserves an artifact, but it doesn’t preserve intent, it doesn’t
1365
01:03:14,040 –> 01:03:17,520
preserve dependency versions, it doesn’t preserve contracts, and it absolutely doesn’t
1366
01:03:17,520 –> 01:03:21,000
preserve the one thing that matters when systems drift, a traceable change story.
1367
01:03:21,000 –> 01:03:25,200
In hybrid automation, ALM has to be centered on contracts, not canvas, because the boundary
1368
01:03:25,200 –> 01:03:28,280
between orchestration and execution is not a diagram.
1369
01:03:28,280 –> 01:03:33,480
It’s an agreement, what inputs are allowed, what outputs are guaranteed, what failures mean,
1370
01:03:33,480 –> 01:03:34,800
and what gets logged.
1371
01:03:34,800 –> 01:03:39,320
If that agreement changes silently, you don’t get a neat failure, you get a slow governance
1372
01:03:39,320 –> 01:03:44,560
leak, makers implement workarounds, engineers add temporary compatibility, and within a
1373
01:03:44,560 –> 01:03:48,520
quarter you’ve rebuilt the same entropy generator you were trying to escape.
1374
01:03:48,520 –> 01:03:52,880
So the first rule is blunt version the API contract like it’s a product because it is.
1375
01:03:52,880 –> 01:03:58,280
If the Python execution tier exposes endpoints behind APIM, those endpoints need explicit versions,
1376
01:03:58,280 –> 01:04:02,320
not will keep it compatible, not it’s just internal.
1377
01:04:02,320 –> 01:04:06,160
Internal API is break more businesses than external ones because nobody budgets for internal
1378
01:04:06,160 –> 01:04:07,160
change management.
1379
01:04:07,160 –> 01:04:12,080
So you publish V1, you add V2 when behavior changes, you deprecate with the timeline, and
1380
01:04:12,080 –> 01:04:16,480
you use APM analytics to see which flows still call V1 because otherwise your deprecation
1381
01:04:16,480 –> 01:04:18,000
plan is a fantasy.
1382
01:04:18,000 –> 01:04:22,760
The second rule, treat Python dependencies as production supply chain, not as a maker convenience.
1383
01:04:22,760 –> 01:04:27,720
A requirements dot dxt that changes because someone ran PIP install locally is not an enterprise
1384
01:04:27,720 –> 01:04:28,840
artifact.
1385
01:04:28,840 –> 01:04:34,240
The execution tier needs PINT dependencies, repeatable builds, and a controlled promotion path.
1386
01:04:34,240 –> 01:04:38,080
Otherwise you will eventually redeploy a function and discover that a transitive dependency
1387
01:04:38,080 –> 01:04:43,560
updated behavior changed and the workflow now produces different outputs for the same input.
1388
01:04:43,560 –> 01:04:48,080
That’s not Python being risky, that’s you refusing to manage the execution tier as software
1389
01:04:48,080 –> 01:04:52,960
and yes the same applies to prompts and model configurations if you’re doing inference.
1390
01:04:52,960 –> 01:04:53,960
Configuration is code.
1391
01:04:53,960 –> 01:04:58,760
If it can change behavior it must be versioned, reviewed, and released with traceability.
1392
01:04:58,760 –> 01:05:03,200
Now the power platform side, flows, apps, and solutions also need discipline but not
1393
01:05:03,200 –> 01:05:04,680
the fake kind.
1394
01:05:04,680 –> 01:05:08,760
And screenshots are what teams produce when they don’t have deployment artifacts.
1395
01:05:08,760 –> 01:05:11,800
Here’s the run history, here’s the screenshot of the trigger.
1396
01:05:11,800 –> 01:05:15,600
Here’s the expression that worked, that’s documentation of accidents, not documentation
1397
01:05:15,600 –> 01:05:16,600
of design.
1398
01:05:16,600 –> 01:05:22,600
Real ALM means the flow lives in a solution, uses environment variables, references connections
1399
01:05:22,600 –> 01:05:27,360
that are created intentionally, and gets promoted through dev, test, and prod like any other
1400
01:05:27,360 –> 01:05:28,840
artifact.
1401
01:05:28,840 –> 01:05:31,320
Environment separation is not negotiable in the hybrid mandate.
1402
01:05:31,320 –> 01:05:35,760
If Dev and prod share the same API, the same identities in the same dataverse tables you
1403
01:05:35,760 –> 01:05:40,040
don’t have environments, you have one environment with extra steps.
1404
01:05:40,040 –> 01:05:41,560
Separation is what makes change safe.
1405
01:05:41,560 –> 01:05:46,640
Dev calls dev APM, test calls test APM, prod calls prod APM, and the identities are separate
1406
01:05:46,640 –> 01:05:50,520
because permissions drift differently in each place and you need the ability to revoke,
1407
01:05:50,520 –> 01:05:54,000
rotate, and audit without breaking everything at once.
1408
01:05:54,000 –> 01:05:57,960
Promotion should be gated on traceability, which flow version, which API version, which
1409
01:05:57,960 –> 01:06:03,160
Python build, which dependency set, which APIM policy set, if you can’t answer that on demand,
1410
01:06:03,160 –> 01:06:07,200
you are not operating a system, you are operating a coincidence, and here’s the part that makes
1411
01:06:07,200 –> 01:06:09,080
people uncomfortable.
1412
01:06:09,080 –> 01:06:13,080
Ownership has to follow the artifacts, makers can own orchestration logic, but they cannot
1413
01:06:13,080 –> 01:06:16,040
be the release managers for execution code.
1414
01:06:16,040 –> 01:06:19,360
Engineers can own execution services, but they cannot be the only people who understand
1415
01:06:19,360 –> 01:06:21,240
when a business process changes.
1416
01:06:21,240 –> 01:06:25,160
Platform teams can own identities and policies, but they cannot be the catch all for every,
1417
01:06:25,160 –> 01:06:27,040
it stopped working complaint.
1418
01:06:27,040 –> 01:06:32,360
So you need a release contract across teams, makers, change flows, engineers, change services,
1419
01:06:32,360 –> 01:06:37,440
platform governs the boundaries, and everyone agrees on what constitutes a breaking change,
1420
01:06:37,440 –> 01:06:40,200
because the hybrid mandate is not low code plus Python.
1421
01:06:40,200 –> 01:06:42,640
It’s a system where drift is expected and managed.
1422
01:06:42,640 –> 01:06:44,400
RM is the drift management layer.
1423
01:06:44,400 –> 01:06:47,760
Without it, your 3-tier model collapses back into improvisation.
1424
01:06:47,760 –> 01:06:50,840
With it, you get the only real enterprise outcome.
1425
01:06:50,840 –> 01:06:54,840
Stable orchestration, deterministic execution, and governance that survives the next
1426
01:06:54,840 –> 01:06:55,840
year.
1427
01:06:55,840 –> 01:06:59,600
Operating model, COE as entropy management, not a maker police.
1428
01:06:59,600 –> 01:07:03,280
The hybrid mandate dies in most organizations for a boring reason.
1429
01:07:03,280 –> 01:07:08,720
Nobody owns the space between maker velocity and enterprise responsibility, so the platform
1430
01:07:08,720 –> 01:07:09,720
drifts.
1431
01:07:09,720 –> 01:07:13,680
Not because people are reckless, because the operating model doesn’t exist, and systems
1432
01:07:13,680 –> 01:07:16,080
will always root around missing structure.
1433
01:07:16,080 –> 01:07:19,320
That’s what the center of excellence is for, not as a governance theatre committee,
1434
01:07:19,320 –> 01:07:22,800
not as the department of note as entropy management.
1435
01:07:22,800 –> 01:07:26,680
Because the work isn’t stopping makers from building things, that’s impossible.
1436
01:07:26,680 –> 01:07:29,880
The work is preventing the accumulation of invisible exceptions.
1437
01:07:29,880 –> 01:07:34,840
One-off connectors, ad hoc service accounts, copy pasted flows, unversioned endpoints, and
1438
01:07:34,840 –> 01:07:38,080
temporary bypasses that become permanent dependencies.
1439
01:07:38,080 –> 01:07:41,840
A COE that behaves like maker police creates a predictable failure mode.
1440
01:07:41,840 –> 01:07:46,000
Makers go quiet, they build anyway, they stop asking questions, solutions move into the dark,
1441
01:07:46,000 –> 01:07:50,040
and the first time leadership hears about it is during an audit or after an incident,
1442
01:07:50,040 –> 01:07:51,760
when the response is always the same.
1443
01:07:51,760 –> 01:07:53,560
How did we not know this existed?
1444
01:07:53,560 –> 01:07:55,720
So the COE has to be positioned differently.
1445
01:07:55,720 –> 01:08:00,360
The COE is the team that curates the enterprise patterns that make hybrid safe.
1446
01:08:00,360 –> 01:08:04,680
Reference architectures, approved integration paths, and the boundary rules that keep orchestration
1447
01:08:04,680 –> 01:08:09,120
low-code, execution deterministic, and governance enforceable in Azure.
1448
01:08:09,120 –> 01:08:13,240
The COE doesn’t build every solution, it builds the rails that make solutions survivable,
1449
01:08:13,240 –> 01:08:15,760
that means the COE owns four concrete things.
1450
01:08:15,760 –> 01:08:17,600
First, portfolio visibility.
1451
01:08:17,600 –> 01:08:18,840
Not a vanity inventory.
1452
01:08:18,840 –> 01:08:21,320
An actual portfolio with classification.
1453
01:08:21,320 –> 01:08:22,320
Productivity.
1454
01:08:22,320 –> 01:08:23,680
Team workflow.
1455
01:08:23,680 –> 01:08:25,160
Departmental system.
1456
01:08:25,160 –> 01:08:26,360
Enterprise workflow.
1457
01:08:26,360 –> 01:08:27,360
Regulated workflow.
1458
01:08:27,360 –> 01:08:29,880
Those categories determine which guard rails apply.
1459
01:08:29,880 –> 01:08:32,800
If everything gets treated like production, delivery freezes.
1460
01:08:32,800 –> 01:08:35,960
If nothing gets treated like production, entropy wins.
1461
01:08:35,960 –> 01:08:38,000
Classification is the compromise that scales.
1462
01:08:38,000 –> 01:08:39,840
Second, patterns and reusable assets.
1463
01:08:39,840 –> 01:08:42,920
The COE should publish the standard integration contracts.
1464
01:08:42,920 –> 01:08:44,600
How a flow calls an API?
1465
01:08:44,600 –> 01:08:48,880
Where correlation IDs come from, what APIM policies are non-negotiable, what an error response
1466
01:08:48,880 –> 01:08:51,960
looks like, what “ident potent” means in this tenant.
1467
01:08:51,960 –> 01:08:53,640
Makers don’t need a 90-page document.
1468
01:08:53,640 –> 01:08:57,520
They need a template and a reference implementation that works the first time.
1469
01:08:57,520 –> 01:08:59,480
Third, the escalation path.
1470
01:08:59,480 –> 01:09:00,840
Fusion teams are not a slogan.
1471
01:09:00,840 –> 01:09:02,320
They’re an operating model.
1472
01:09:02,320 –> 01:09:06,080
Citizen makers own orchestration logic and business process.
1473
01:09:06,080 –> 01:09:08,000
Engineers own the execution tier.
1474
01:09:08,000 –> 01:09:09,000
Python services.
1475
01:09:09,000 –> 01:09:10,000
Packaging.
1476
01:09:10,000 –> 01:09:11,000
Dependency pinning.
1477
01:09:11,000 –> 01:09:12,000
Performance.
1478
01:09:12,000 –> 01:09:13,000
And reliability.
1479
01:09:13,000 –> 01:09:15,360
Platform teams own the governance tier.
1480
01:09:15,360 –> 01:09:20,920
For identities, network boundaries, secrets, logging and policy enforcement, the COE coordinates
1481
01:09:20,920 –> 01:09:24,120
those handoffs, so work doesn’t stall in politics.
1482
01:09:24,120 –> 01:09:27,080
Fourth, enforcement mechanisms that don’t rely on willpower.
1483
01:09:27,080 –> 01:09:31,680
DLP policies, environment strategy, managed environments, connector governance, APM policy
1484
01:09:31,680 –> 01:09:33,800
baselines and identity standards.
1485
01:09:33,800 –> 01:09:37,920
The COE should define what’s allowed but also make the allowed path the easiest path.
1486
01:09:37,920 –> 01:09:42,360
If the secure path is harder than the insecure path, you’ve built a lesson in architectural
1487
01:09:42,360 –> 01:09:43,360
erosion.
1488
01:09:43,360 –> 01:09:45,080
Now the part everyone avoids, intake.
1489
01:09:45,080 –> 01:09:48,840
We need a clear rule for when a flow qualifies for the execution tier.
1490
01:09:48,840 –> 01:09:53,120
Not because makers can’t do it, because the organization can’t afford every complex automation
1491
01:09:53,120 –> 01:09:55,440
to become a bespoke debugging exercise.
1492
01:09:55,440 –> 01:09:57,880
So the intake criteria should be mechanical.
1493
01:09:57,880 –> 01:10:00,320
Data transforms beyond simple mapping.
1494
01:10:00,320 –> 01:10:05,280
bulk operations above a threshold, long running jobs, ML inference, cross-environment integration,
1495
01:10:05,280 –> 01:10:08,800
and anything that touches regulated data with non-trivial logic.
1496
01:10:08,800 –> 01:10:13,600
When those triggers appear, the COE roots the work into the hybrid pattern.
1497
01:10:13,600 –> 01:10:17,560
It’s a great, empowered platform, execute in Python, govern in Azure, and the COE has
1498
01:10:17,560 –> 01:10:20,000
to defend that boundary in both directions.
1499
01:10:20,000 –> 01:10:24,160
It needs to stop makers from smuggling execution into flows through scopes, baguette and connector
1500
01:10:24,160 –> 01:10:25,160
abuse.
1501
01:10:25,160 –> 01:10:29,680
But it also needs to stop engineers from bypassing orchestration and building shadow services
1502
01:10:29,680 –> 01:10:32,480
that mutate dataverse without process visibility.
1503
01:10:32,480 –> 01:10:36,720
Both our entropy generators both feel justified in the moment, both become permanent.
1504
01:10:36,720 –> 01:10:39,320
This is why the COE’s job is not approval.
1505
01:10:39,320 –> 01:10:41,760
It’s alignment.
1506
01:10:41,760 –> 01:10:47,200
It means every hybrid solution has an accountable orchestration owner, an accountable execution
1507
01:10:47,200 –> 01:10:49,360
owner, and an accountable governance owner.
1508
01:10:49,360 –> 01:10:51,840
If any of those are missing, the solution is already abandoned.
1509
01:10:51,840 –> 01:10:53,000
It just hasn’t failed yet.
1510
01:10:53,000 –> 01:10:55,480
And finally, the COE needs to measure drift.
1511
01:10:55,480 –> 01:10:58,080
Not with vanity metrics like number of apps.
1512
01:10:58,080 –> 01:11:02,680
With indicators that predict incidents, number of public endpoints, number of flows using
1513
01:11:02,680 –> 01:11:07,360
personal connections, number of APIs without versioning, number of workloads without correlated
1514
01:11:07,360 –> 01:11:12,000
logging and number of solutions living only in the default environment.
1515
01:11:12,000 –> 01:11:15,480
Those are the cracks where chaos enters, and mature COE doesn’t block progress.
1516
01:11:15,480 –> 01:11:20,320
It makes progress repeatable, and that’s the entire point of the hybrid mandate, agility,
1517
01:11:20,320 –> 01:11:24,280
but with discipline enforced by design, not by optimism.
1518
01:11:24,280 –> 01:11:28,480
Executive risk framing, what you’re actually buying with the hybrid mandate.
1519
01:11:28,480 –> 01:11:30,640
Executives don’t approve architecture diagrams.
1520
01:11:30,640 –> 01:11:34,280
They approve risk trades, and the reason the hybrid mandate matters is that it converts
1521
01:11:34,280 –> 01:11:38,160
a set of vague emotional arguments into measurable enforceable properties.
1522
01:11:38,160 –> 01:11:41,720
Mostly, the ship teams think they’re buying speed when they fund power platform.
1523
01:11:41,720 –> 01:11:42,720
They’re not.
1524
01:11:42,720 –> 01:11:45,800
They’re buying the ability to push decision making closer to the business without collapsing
1525
01:11:45,800 –> 01:11:46,800
governance.
1526
01:11:46,800 –> 01:11:51,200
That distinction matters because if the only lever you pull is velocity, the organization
1527
01:11:51,200 –> 01:11:53,080
will absolutely achieve velocity.
1528
01:11:53,080 –> 01:11:57,200
It will just be velocity towards sprawl inconsistent controls and operational ambiguity.
1529
01:11:57,200 –> 01:11:58,640
The platform doesn’t stop that.
1530
01:11:58,640 –> 01:11:59,640
It enables it.
1531
01:11:59,640 –> 01:12:02,480
So here’s what you’re actually buying with the hybrid mandate.
1532
01:12:02,480 –> 01:12:05,520
Lower incident costs through determinism.
1533
01:12:05,520 –> 01:12:07,440
Incidents are expensive for one reason.
1534
01:12:07,440 –> 01:12:09,160
Nobody can agree on what happened.
1535
01:12:09,160 –> 01:12:13,640
The bridge called Bern’s time reconstructing reality across flow runs, connect the behavior,
1536
01:12:13,640 –> 01:12:15,480
and back end logs that don’t line up.
1537
01:12:15,480 –> 01:12:20,400
The hybrid mandate forces a deterministic execution tier with correlated logging and enforced
1538
01:12:20,400 –> 01:12:21,400
contracts.
1539
01:12:21,400 –> 01:12:23,440
That means failures stop being interpretive.
1540
01:12:23,440 –> 01:12:24,640
They become traceable.
1541
01:12:24,640 –> 01:12:28,120
Your mean time to innocence drops, which is the only metric leadership should care about
1542
01:12:28,120 –> 01:12:29,360
during an outage.
1543
01:12:29,360 –> 01:12:31,440
And your mean time to resolution follows.
1544
01:12:31,440 –> 01:12:32,440
Second.
1545
01:12:32,440 –> 01:12:36,320
You lose security exposure through fewer parts to sensitive data.
1546
01:12:36,320 –> 01:12:38,280
Security teams don’t lose sleep over a flow.
1547
01:12:38,280 –> 01:12:42,560
They lose sleep over uncontrolled identities sprawl and unmanaged egress.
1548
01:12:42,560 –> 01:12:46,560
When data verse becomes directly reachable from arbitrary runtimes, you increase the number
1549
01:12:46,560 –> 01:12:49,680
of principles, endpoints, and data paths that can leak.
1550
01:12:49,680 –> 01:12:51,200
That is the blast radius problem.
1551
01:12:51,200 –> 01:12:56,600
The hybrid mandate shrinks the blast radius by forcing data access through governed boundaries.
1552
01:12:56,600 –> 01:13:00,680
Entra workload identity, network containment, and policy enforcement at the API edge.
1553
01:13:00,680 –> 01:13:03,040
You don’t eliminate risk, you stop multiplying it.
1554
01:13:03,040 –> 01:13:04,040
Third.
1555
01:13:04,040 –> 01:13:06,760
Reduced compliance, pain through evidence, not assertions.
1556
01:13:06,760 –> 01:13:08,920
Compliance audits are not asking whether you have policies.
1557
01:13:08,920 –> 01:13:11,280
They’re asking whether policies survive pressure.
1558
01:13:11,280 –> 01:13:14,680
The hybrid mandate gives you artifacts auditors can understand.
1559
01:13:14,680 –> 01:13:19,120
Versioned APIs, consistent authentication, bounded payloads, and end-to-end traces tied to
1560
01:13:19,120 –> 01:13:20,800
a correlation ID.
1561
01:13:20,800 –> 01:13:25,720
That turns, we think it’s controlled into, here is the record of the decision, the execution,
1562
01:13:25,720 –> 01:13:27,000
and the commit.
1563
01:13:27,000 –> 01:13:30,640
Audit conversations get shorter when you can show proof without assembling a narrative.
1564
01:13:30,640 –> 01:13:34,840
Both reduced vendor lock-in risk by separating orchestration from execution.
1565
01:13:34,840 –> 01:13:36,280
This is where people get confused.
1566
01:13:36,280 –> 01:13:38,440
The hybrid mandate is not anti-power platform.
1567
01:13:38,440 –> 01:13:39,440
It’s pro-boundary.
1568
01:13:39,440 –> 01:13:43,000
When you bury your business logic inside flows, you hardwire your enterprise behavior
1569
01:13:43,000 –> 01:13:46,240
to a tool that was designed for orchestration, not compute.
1570
01:13:46,240 –> 01:13:50,200
Over time, every workaround becomes a dependency and migration becomes a rewrite.
1571
01:13:50,200 –> 01:13:54,640
When you externalize deterministic logic into Python services behind stable contracts,
1572
01:13:54,640 –> 01:13:57,800
you create portability, not because you plan to leave, because you want the option
1573
01:13:57,800 –> 01:13:59,720
to evolve without ransom.
1574
01:13:59,720 –> 01:14:01,800
And can change platforms later.
1575
01:14:01,800 –> 01:14:05,040
Execution services can be reused, governance controls remain enforceable.
1576
01:14:05,040 –> 01:14:08,800
Fifth, better talent alignment and lower organizational friction.
1577
01:14:08,800 –> 01:14:12,680
Citizen makers should not be carrying the responsibility for runtime patching, dependency
1578
01:14:12,680 –> 01:14:14,800
management, and API design.
1579
01:14:14,800 –> 01:14:18,720
Engineers should not be writing approval workflows and chasing inbox rules.
1580
01:14:18,720 –> 01:14:21,560
The hybrid mandate makes ownership legible.
1581
01:14:21,560 –> 01:14:26,560
Makers own process orchestration, engineers own execution services, and the platform team
1582
01:14:26,560 –> 01:14:28,160
owns the governance tier.
1583
01:14:28,160 –> 01:14:33,280
It reduces the constant debate over who broke it, because the boundaries define accountability
1584
01:14:33,280 –> 01:14:35,640
before production defines it for you.
1585
01:14:35,640 –> 01:14:39,560
Now the uncomfortable executive reality, you are not funding a feature.
1586
01:14:39,560 –> 01:14:41,600
You are funding an operating model.
1587
01:14:41,600 –> 01:14:46,680
If leadership mandates low-code only, they are choosing a probabilistic security model,
1588
01:14:46,680 –> 01:14:50,280
because policy exceptions will accumulate until the system behaves differently in each
1589
01:14:50,280 –> 01:14:51,960
corner of the tenant.
1590
01:14:51,960 –> 01:14:55,800
If leadership mandates pro-code only, they are choosing a delivery bottleneck, because
1591
01:14:55,800 –> 01:14:59,760
the backlog will outgrow the team and shadow IT will happen anyway.
1592
01:14:59,760 –> 01:15:04,080
The hybrid mandate is the only position that survives entropy, low-code where orchestration
1593
01:15:04,080 –> 01:15:08,400
is the value, Python where determinism is required, and Azure where governance must
1594
01:15:08,400 –> 01:15:10,080
be enforced by design.
1595
01:15:10,080 –> 01:15:14,920
And that’s the executive purchase, fewer ambiguous outages, fewer uncontrolled data paths,
1596
01:15:14,920 –> 01:15:20,480
fewer audit surprises, and a platform that scales without turning into conditional chaos.
1597
01:15:20,480 –> 01:15:24,320
Closing executive positioning, a maturity model, not a rebellion.
1598
01:15:24,320 –> 01:15:28,240
The executive positioning has to be explicit, because otherwise the organization will hear
1599
01:15:28,240 –> 01:15:29,560
what it wants to hear.
1600
01:15:29,560 –> 01:15:32,320
Some will hear “power platform is unsafe.”
1601
01:15:32,320 –> 01:15:35,160
Others will hear “engineering” wants to take control back.
1602
01:15:35,160 –> 01:15:38,480
And makers will hear “it is about to slow everything down again.”
1603
01:15:38,480 –> 01:15:40,040
All of those interpretations are wrong.
1604
01:15:40,040 –> 01:15:42,120
The hybrid mandate is not anti-power platform.
1605
01:15:42,120 –> 01:15:44,160
Power platform is the orchestration tier.
1606
01:15:44,160 –> 01:15:45,480
That’s not a consolation price.
1607
01:15:45,480 –> 01:15:49,600
That’s the part of the system that touches humans, process, approvals and business state.
1608
01:15:49,600 –> 01:15:51,080
It’s where intent gets expressed.
1609
01:15:51,080 –> 01:15:52,600
It’s where work becomes accountable.
1610
01:15:52,600 –> 01:15:56,600
It’s where you can see why a decision happened without decompiling a service.
1611
01:15:56,600 –> 01:15:58,640
So the mandate doesn’t reduce power platform.
1612
01:15:58,640 –> 01:16:01,040
It rescues it from being forced to do execution work.
1613
01:16:01,040 –> 01:16:02,280
It was never built to do.
1614
01:16:02,280 –> 01:16:04,200
It’s also not pro-developer elitism.
1615
01:16:04,200 –> 01:16:07,760
This isn’t about real developers versus citizen developers.
1616
01:16:07,760 –> 01:16:11,360
That’s a childish framing, and it’s usually deployed by people who benefit from keeping the
1617
01:16:11,360 –> 01:16:12,520
boundary blurry.
1618
01:16:12,520 –> 01:16:16,840
The enterprise needs both skill sets because the enterprise has both kinds of work, human
1619
01:16:16,840 –> 01:16:19,040
process and deterministic compute.
1620
01:16:19,040 –> 01:16:24,280
The mandate simply assigns those responsibilities to the tiers that can carry them without collapsing.
1621
01:16:24,280 –> 01:16:28,720
Orchestration stays in low code where it’s observable and editable by the business.
1622
01:16:28,720 –> 01:16:31,560
Execution moves to Python where it’s testable and repeatable.
1623
01:16:31,560 –> 01:16:36,080
And governance sits in a zoo where identity, network, policy and logging can be enforced
1624
01:16:36,080 –> 01:16:37,400
by design.
1625
01:16:37,400 –> 01:16:39,520
And it is not a workaround for bad design.
1626
01:16:39,520 –> 01:16:43,160
A workaround is what happens when someone cannot get the platform to do what it should.
1627
01:16:43,160 –> 01:16:48,000
So they root around controls, file watches, local scripts, service accounts, random endpoints,
1628
01:16:48,000 –> 01:16:50,680
just let it through firewall rules.
1629
01:16:50,680 –> 01:16:52,360
The hybrid mandate does the opposite.
1630
01:16:52,360 –> 01:16:57,080
It builds the supported, auditable path on purpose so people stop inventing shadow paths.
1631
01:16:57,080 –> 01:17:00,320
That distinction matters because enterprises always enter hybrid.
1632
01:17:00,320 –> 01:17:04,160
The only question is whether they do it intentionally or whether they do it accidentally
1633
01:17:04,160 –> 01:17:05,160
in the dark.
1634
01:17:05,160 –> 01:17:06,160
Now, what is it?
1635
01:17:06,160 –> 01:17:10,360
It is a maturity model for enterprises that want both agility and engineering discipline.
1636
01:17:10,360 –> 01:17:13,680
At low maturity, everything lives in the orchestration tier.
1637
01:17:13,680 –> 01:17:17,560
Flows become pipelines, connectors become integration strategy, and run history becomes
1638
01:17:17,560 –> 01:17:19,200
the primary debugging tool.
1639
01:17:19,200 –> 01:17:20,880
It works until it doesn’t.
1640
01:17:20,880 –> 01:17:25,000
Then every exception becomes permanent and you’ve converted low code speed into long term
1641
01:17:25,000 –> 01:17:26,080
governance debt.
1642
01:17:26,080 –> 01:17:30,640
At the next maturity level, the organization introduces the execution tier intentionally.
1643
01:17:30,640 –> 01:17:32,800
Python becomes a service, not a sidecar.
1644
01:17:32,800 –> 01:17:34,320
Compute moves out of flows.
1645
01:17:34,320 –> 01:17:35,320
Contracts become explicit.
1646
01:17:35,320 –> 01:17:36,320
Edympotency exists.
1647
01:17:36,320 –> 01:17:37,320
Versioning exists.
1648
01:17:37,320 –> 01:17:38,720
Payloads are bounded.
1649
01:17:38,720 –> 01:17:42,440
Makeers stop writing brittle, passing logic and start consuming stable outputs.
1650
01:17:42,440 –> 01:17:46,360
At the mature level, the governance tier hardens the boundaries so the model survives
1651
01:17:46,360 –> 01:17:47,360
pressure.
1652
01:17:47,360 –> 01:17:52,160
Entra workload identity, private endpoints, dataverse behind the platform, APM enforcing
1653
01:17:52,160 –> 01:17:56,240
policy and contracts and correlated logging, so incidents are evidence-based.
1654
01:17:56,240 –> 01:17:57,240
That’s not bureaucracy.
1655
01:17:57,240 –> 01:18:00,080
That’s how systems stay stable while adoption scales.
1656
01:18:00,080 –> 01:18:03,040
So the hybrid mandate is an enterprise contract, not a diagram.
1657
01:18:03,040 –> 01:18:05,000
Power platform is the orchestration tier.
1658
01:18:05,000 –> 01:18:06,480
Python is the execution tier.
1659
01:18:06,480 –> 01:18:09,680
Azure is the governance tier and the point is not to make things harder.
1660
01:18:09,680 –> 01:18:11,520
The point is to make success survivable.
1661
01:18:11,520 –> 01:18:14,400
This is also the executive instruction stated plainly.
1662
01:18:14,400 –> 01:18:17,240
Mandate boundaries, fund the governance tier and measure drift.
1663
01:18:17,240 –> 01:18:20,240
Because drift is what kills you, not the first deployment.
1664
01:18:20,240 –> 01:18:21,240
Drift.
1665
01:18:21,240 –> 01:18:25,960
The slow accumulation of exceptions, personal connections, public endpoints, unversioned
1666
01:18:25,960 –> 01:18:30,720
APIs and temporary bypasses that quietly become the real architecture.
1667
01:18:30,720 –> 01:18:34,840
If leadership wants a platform that scales without becoming conditional chaos, then leadership
1668
01:18:34,840 –> 01:18:37,960
has to stop rewarding outcomes that ignore boundaries.
1669
01:18:37,960 –> 01:18:41,000
Don’t reward we shipped it if it shipped through a backdoor identity.
1670
01:18:41,000 –> 01:18:45,080
Don’t reward we automated it if it exposed dataverse directly.
1671
01:18:45,080 –> 01:18:50,440
Don’t reward we added AI if nobody can explain the prompt, the version, the cost or the
1672
01:18:50,440 –> 01:18:51,720
audit story.
1673
01:18:51,720 –> 01:18:55,920
Reward the pattern, reward the contract, reward the evidence.
1674
01:18:55,920 –> 01:19:01,200
That’s what maturity looks like the organization can move fast and still prove it stayed in control.
1675
01:19:01,200 –> 01:19:05,400
The only takeaway that matter, the only takeaway that matters is this.
1676
01:19:05,400 –> 01:19:10,720
Keep orchestration in power platform, put deterministic compute in Python and enforce the boundaries
1677
01:19:10,720 –> 01:19:14,360
in Azure or the system degrades into conditional chaos.
1678
01:19:14,360 –> 01:19:19,400
If you want, I can do a follow-up episode that maps this to a concrete reference architecture,
1679
01:19:19,400 –> 01:19:24,600
enter a workload identity, APIM policies, private endpoints, correlation IDs and the minimum
1680
01:19:24,600 –> 01:19:26,880
viable contracts that stop drift.
1681
01:19:26,880 –> 01:19:30,720
Subscribe for that and send me the hybrid pattern that’s failing in your tenant right now,
1682
01:19:30,720 –> 01:19:33,320
what boundary collapsed and what exception became normal.
