Sign up to save your podcasts
Or
Share The Hybrid Mandate: Orchestrating Python Inside the Power Platform
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
The Hybrid Mandate: Orchestrating Python Inside the Power Platform
Most organizations misunderstand Power Platform. They treat it like a productivity toy.
Drag boxes. Automate an email. Call it transformation. It works at ten runs per day.
It collapses at ten thousand. Not because the platform failed.
Because complexity was never priced. So here’s the mandate:
Wrap it in identity, network containment, logging, and policy. If you don’t enforce boundaries, entropy does.
And entropy always scales faster than success. Body 1 — The Foundational Misunderstanding Power Platform Is a Control Plane (~700 words) The first mistake is calling Power Platform “a tool.” Excel is a tool.
Word is a tool. Power Platform is not. It is a control plane. It coordinates identity, connectors, environments, approvals, and data movement across your tenant. It doesn’t just automate work — it defines how work is allowed to happen. That distinction changes everything. When you treat a control plane like a toy, you stop designing it.
And when you stop designing it, the system designs itself. And it designs itself around exceptions. “Just one connector.”
“Just one bypass.”
“Just store the credential for now.”
“Just add a condition.” None of these feel large.
All of them accumulate. Eventually you’re not operating a deterministic architecture.
You’re operating a probabilistic one. The flow works — until:
“Can Power Automate call Python?” Of course it can. The real question is:
Where does compute belong? Because Python is not “just code.”
It’s a runtime. Dependencies. Network paths. Secret handling. Patching. If you bolt that onto the control plane without boundaries, you don’t get hybrid architecture. You get shadow runtime. That’s how governance disappears — not through malice, but through convenience. So reframing is required: Power Platform orchestrates.
Python executes.
Azure governs. Treat Power Platform like a control plane, and you start asking architectural questions:
Flow #2: move data.
Flow #3: transform a spreadsheet. Then trust increases. And trust becomes load. Suddenly your “workflow” is:
But you’ve turned orchestration into accidental ETL. This is where people say:
“Maybe we should call Python.” The instinct is right. But the boundary matters. If Python is:
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
If this clashes with how you’ve seen it play out, I’m always curious. I use LinkedIn for the back-and-forth.
Drag boxes. Automate an email. Call it transformation. It works at ten runs per day.
It collapses at ten thousand. Not because the platform failed.
Because complexity was never priced. So here’s the mandate:
- Power Platform = Orchestration tier
- Python = Execution tier
- Azure = Governance tier
Wrap it in identity, network containment, logging, and policy. If you don’t enforce boundaries, entropy does.
And entropy always scales faster than success. Body 1 — The Foundational Misunderstanding Power Platform Is a Control Plane (~700 words) The first mistake is calling Power Platform “a tool.” Excel is a tool.
Word is a tool. Power Platform is not. It is a control plane. It coordinates identity, connectors, environments, approvals, and data movement across your tenant. It doesn’t just automate work — it defines how work is allowed to happen. That distinction changes everything. When you treat a control plane like a toy, you stop designing it.
And when you stop designing it, the system designs itself. And it designs itself around exceptions. “Just one connector.”
“Just one bypass.”
“Just store the credential for now.”
“Just add a condition.” None of these feel large.
All of them accumulate. Eventually you’re not operating a deterministic architecture.
You’re operating a probabilistic one. The flow works — until:
- The owner leaves
- A token expires
- A connector changes its payload
- Licensing shifts
- Throttling kicks in
- A maker copies a flow and creates a parallel universe
“Can Power Automate call Python?” Of course it can. The real question is:
Where does compute belong? Because Python is not “just code.”
It’s a runtime. Dependencies. Network paths. Secret handling. Patching. If you bolt that onto the control plane without boundaries, you don’t get hybrid architecture. You get shadow runtime. That’s how governance disappears — not through malice, but through convenience. So reframing is required: Power Platform orchestrates.
Python executes.
Azure governs. Treat Power Platform like a control plane, and you start asking architectural questions:
- Which principal is calling what?
- Where do secrets live?
- What is the network path?
- Where are logs correlated?
- What happens at 10× scale?
Flow #2: move data.
Flow #3: transform a spreadsheet. Then trust increases. And trust becomes load. Suddenly your “workflow” is:
- Parsing CSV
- Normalizing columns
- Deduplicating data
- Joining sources
- Handling bulk retries
- Building error reports
- Nested loops inside nested loops
- Scopes inside scopes
- Try/catch glued together
- Run histories with 600 actions
- Retry storms
- Throttling workarounds
But you’ve turned orchestration into accidental ETL. This is where people say:
“Maybe we should call Python.” The instinct is right. But the boundary matters. If Python is:
- A file watcher
- A laptop script
- A shared service account
- A public HTTP trigger
- A hidden token in a variable
- Flow decides that work happens
- Python performs deterministic computation
- Azure enforces identity and containment
- Triggers
- Approvals
- Routing
- Status tracking
- Notifications
- Human interaction
- Heavy transforms
- Bulk compute
- Dependency management
- Runtime patching
- Deterministic compute
- Validation
- Deduplication
- Inference
- Bulk updates
- Schema enforcement
- Idempotency
- Versioned contracts
- Structured responses
- Bounded payloads
- Explicit failures
- Workload identity (Entra ID)
- Managed identities
- Secrets
- Network containment
- Private endpoints
- API policies
- Logging and correlation
- File watcher polling a folder
- Python script on a jump box
- Shared automation account
- Public function “temporarily exposed”
- Secret pasted in environment variable
- OS patch breaks dependency
- Credential expires
- Laptop shuts down
- Firewall changes
- Package update changes behavior
- Nobody knows who owns it
- Authenticated workload identity
- Private endpoint
- APIM enforcement
- Structured contract
- Correlated logging
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
If this clashes with how you’ve seen it play out, I’m always curious. I use LinkedIn for the back-and-forth.
View all episodes
By Mirko Peters (Microsoft 365 consultant and trainer)Most organizations misunderstand Power Platform. They treat it like a productivity toy.
Drag boxes. Automate an email. Call it transformation. It works at ten runs per day.
It collapses at ten thousand. Not because the platform failed.
Because complexity was never priced. So here’s the mandate:
Wrap it in identity, network containment, logging, and policy. If you don’t enforce boundaries, entropy does.
And entropy always scales faster than success. Body 1 — The Foundational Misunderstanding Power Platform Is a Control Plane (~700 words) The first mistake is calling Power Platform “a tool.” Excel is a tool.
Word is a tool. Power Platform is not. It is a control plane. It coordinates identity, connectors, environments, approvals, and data movement across your tenant. It doesn’t just automate work — it defines how work is allowed to happen. That distinction changes everything. When you treat a control plane like a toy, you stop designing it.
And when you stop designing it, the system designs itself. And it designs itself around exceptions. “Just one connector.”
“Just one bypass.”
“Just store the credential for now.”
“Just add a condition.” None of these feel large.
All of them accumulate. Eventually you’re not operating a deterministic architecture.
You’re operating a probabilistic one. The flow works — until:
“Can Power Automate call Python?” Of course it can. The real question is:
Where does compute belong? Because Python is not “just code.”
It’s a runtime. Dependencies. Network paths. Secret handling. Patching. If you bolt that onto the control plane without boundaries, you don’t get hybrid architecture. You get shadow runtime. That’s how governance disappears — not through malice, but through convenience. So reframing is required: Power Platform orchestrates.
Python executes.
Azure governs. Treat Power Platform like a control plane, and you start asking architectural questions:
Flow #2: move data.
Flow #3: transform a spreadsheet. Then trust increases. And trust becomes load. Suddenly your “workflow” is:
But you’ve turned orchestration into accidental ETL. This is where people say:
“Maybe we should call Python.” The instinct is right. But the boundary matters. If Python is:
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
If this clashes with how you’ve seen it play out, I’m always curious. I use LinkedIn for the back-and-forth.
Drag boxes. Automate an email. Call it transformation. It works at ten runs per day.
It collapses at ten thousand. Not because the platform failed.
Because complexity was never priced. So here’s the mandate:
- Power Platform = Orchestration tier
- Python = Execution tier
- Azure = Governance tier
Wrap it in identity, network containment, logging, and policy. If you don’t enforce boundaries, entropy does.
And entropy always scales faster than success. Body 1 — The Foundational Misunderstanding Power Platform Is a Control Plane (~700 words) The first mistake is calling Power Platform “a tool.” Excel is a tool.
Word is a tool. Power Platform is not. It is a control plane. It coordinates identity, connectors, environments, approvals, and data movement across your tenant. It doesn’t just automate work — it defines how work is allowed to happen. That distinction changes everything. When you treat a control plane like a toy, you stop designing it.
And when you stop designing it, the system designs itself. And it designs itself around exceptions. “Just one connector.”
“Just one bypass.”
“Just store the credential for now.”
“Just add a condition.” None of these feel large.
All of them accumulate. Eventually you’re not operating a deterministic architecture.
You’re operating a probabilistic one. The flow works — until:
- The owner leaves
- A token expires
- A connector changes its payload
- Licensing shifts
- Throttling kicks in
- A maker copies a flow and creates a parallel universe
“Can Power Automate call Python?” Of course it can. The real question is:
Where does compute belong? Because Python is not “just code.”
It’s a runtime. Dependencies. Network paths. Secret handling. Patching. If you bolt that onto the control plane without boundaries, you don’t get hybrid architecture. You get shadow runtime. That’s how governance disappears — not through malice, but through convenience. So reframing is required: Power Platform orchestrates.
Python executes.
Azure governs. Treat Power Platform like a control plane, and you start asking architectural questions:
- Which principal is calling what?
- Where do secrets live?
- What is the network path?
- Where are logs correlated?
- What happens at 10× scale?
Flow #2: move data.
Flow #3: transform a spreadsheet. Then trust increases. And trust becomes load. Suddenly your “workflow” is:
- Parsing CSV
- Normalizing columns
- Deduplicating data
- Joining sources
- Handling bulk retries
- Building error reports
- Nested loops inside nested loops
- Scopes inside scopes
- Try/catch glued together
- Run histories with 600 actions
- Retry storms
- Throttling workarounds
But you’ve turned orchestration into accidental ETL. This is where people say:
“Maybe we should call Python.” The instinct is right. But the boundary matters. If Python is:
- A file watcher
- A laptop script
- A shared service account
- A public HTTP trigger
- A hidden token in a variable
- Flow decides that work happens
- Python performs deterministic computation
- Azure enforces identity and containment
- Triggers
- Approvals
- Routing
- Status tracking
- Notifications
- Human interaction
- Heavy transforms
- Bulk compute
- Dependency management
- Runtime patching
- Deterministic compute
- Validation
- Deduplication
- Inference
- Bulk updates
- Schema enforcement
- Idempotency
- Versioned contracts
- Structured responses
- Bounded payloads
- Explicit failures
- Workload identity (Entra ID)
- Managed identities
- Secrets
- Network containment
- Private endpoints
- API policies
- Logging and correlation
- File watcher polling a folder
- Python script on a jump box
- Shared automation account
- Public function “temporarily exposed”
- Secret pasted in environment variable
- OS patch breaks dependency
- Credential expires
- Laptop shuts down
- Firewall changes
- Package update changes behavior
- Nobody knows who owns it
- Authenticated workload identity
- Private endpoint
- APIM enforcement
- Structured contract
- Correlated logging
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
If this clashes with how you’ve seen it play out, I’m always curious. I use LinkedIn for the back-and-forth.