It is possible to establish a great security model at all possible levels, as illustrated in the below diagram:
There are security options available on the Azure Active Directory (AAD) tenant, and many more are within the different Power Platform components/Apps. These options are used for the below purposes.
Azure Active Directory (AAD)
Conditional access: These policies apply the right access controls when needed to keep organization secure and stay out of user's way when not needed. Generally, restrict access to the whole AAD tenant and all the components within the tenant, including Power Platform, for users based on defined criteria (geography, device, and membership).
AAD integration: The AAD integration ensure centralized password control, centralized identity policies, and single sign-on.
MFA: To increase the security of the authentication process and prevent malicious authentication attacks.
Data loss prevention policies: These policies prevent unattended business data leakage through Power Automate Flows and Canvas Apps.
Cross-tenant restrictions: Use cross-tenant restrictions to prevent the use of foreign public cloud services by users or public cloud services by foreign users.
Power Platform Environment without Dataverse
Instance Role: These are use to manage proper access to the instance and instance permissions.
Canvas Apps sharing: Share Canvas Apps properly with the organization users.
Power Automate flows sharing: Share Power Automate Flows properly with the organization users.
Connector permissions: Make sure proper use of connector permissions to provide every user access to only the necessary systems and data.
Power Platform Environment with Dataverse
Model-driven apps access authorization: This access authorization provides every user group within the organization access to only the necessary model-driven apps.
Provision of Users Account Governance: Use user accounts provisioning governance to avoid provisioning user accounts into unwanted Dataverse environments.
Service authentication: Use the proper service authentication model when developing external applications that connect to Dataverse or Power BI environments.
Dataverse authorization: Plan, design, and implement a proper Dataverse authorization model to ensure every user group has adequate permissions within Dataverse applications.
Session governance: Use session governance to prevent the misuse of Dataverse applications by unauthorized users and to enforce change policies, which are applied during the user authentication process.
Power Apps Portals
Portal authentication: Portal authentication options to enable external users to authenticate with their favorite identity providers.
Portal authorization: Portal authorization to ensure every external portal user group has proper access to the requisite models.
Power BI
Power BI authorization: To enable access to all necessary Power BI components for every user group.
Row-level security: To manage access to Power BI data for different user groups based on role permissions.
DirectQuery security: To apply the authorization model of the underlying data source within Power BI.
All the security-related best practices are about establishing a great security model for a Power Platform solution.
Happy learning..