Week One Is Your Window

Most new CoE leaders spend their first week reading documentation, attending stakeholder meetings, and trying to understand what's already been built. That's fine — but it's not enough. The first week is also your highest-leverage window to establish governance foundations that will shape everything that comes after.

Governance gaps don't stay small. A missing DLP policy lets a citizen developer connect a production flow to a personal OneDrive. A missing offboarding process means apps die when their creators leave. A missing monitoring strategy means you discover problems through support tickets, not dashboards.

74%
of Power Platform projects fail to scale past their initial team due to governance gaps
Gartner Low-Code Governance Survey, 2025

This checklist is not a 90-day roadmap. It's a week-one sprint. Thirty items across six categories — environment setup, user management, monitoring, security, communication, and measurement. Some take 20 minutes. Some take a full day. All of them are foundational.

Don't try to boil the ocean. Work through the list in order. Check items off as you go. By end of week one, you'll have a governance posture that most CoEs take six months to reach.

Category 1 of 6 — Items 1–5
Environment Setup
Your environment structure is the foundation of every governance decision that follows. Get this wrong and DLP policies, security roles, and connector management all become harder to enforce.
0 / 30 complete
Week 1
#1
Create separate Production, Development, and Sandbox environments
Production is for live business apps only. Dev is for IT-managed builds. Sandbox is for citizen developer experimentation. Without this separation, every environment becomes production by accident — and "fix it in prod" becomes your governance model.
#2
Set a default DLP policy that blocks business-data connectors outside approved environments
The default tenant policy should be restrictive. Start with the three-tier classification: Business connectors (Microsoft 365, Dynamics), Non-Business (everything else), and Blocked (connectors that should never be used). Citizen developers can request exceptions — but the default should protect data first.
#3
Define your connector classification tiers and document them
Your DLP policy is only as strong as its documentation. Makers need to know which connectors are approved, which require a request, and which are blocked permanently. Publish this as a one-page reference in your CoE SharePoint. Undocumented policies create shadow workarounds — documented ones create trust.
#4
Enable tenant-wide auditing and activity logging
In the Power Platform admin center, verify that audit logging is enabled across all environments. You cannot govern what you cannot see. Activity logs are the raw material for every monitoring dashboard you'll build — and for incident response when something goes wrong.
#5
Configure environment security groups to control who can create environments
By default, most users can create trial environments. Lock this down. Only your CoE team and approved environment owners should be able to create new environments. Environment sprawl is one of the hardest governance problems to fix retroactively — prevent it on day one.
Category 2 of 6 — Items 6–10
User Management
Citizen developers are your biggest asset and your biggest governance risk — often simultaneously. Define the path from "interested" to "approved maker" before anyone asks.
#6
Define citizen developer roles and permission tiers
Not every maker should have the same access. A common three-tier model: Explorer (can build in sandbox only), Builder (can build in dev, can request production deployment), and Champion (approved to deploy directly with peer review). Document the criteria for each tier and the path to advance.
#7
Build an "approved to build" onboarding process with minimum training requirements
Before someone gets maker access, they should complete a minimum baseline: Power Platform fundamentals training (Microsoft Learn has free paths), a DLP and data classification overview, and acknowledgment of your governance policy. This isn't gatekeeping — it's protecting them from governance violations they didn't know about.
#8
Create a Power Platform community in Teams or Viva Engage
Your community is where makers ask questions, share solutions, and get governance guidance without filing a ticket. Stand it up in week one — even if there are only three members. A dedicated channel signals that the CoE is serious about maker support, not just enforcement.
#9
Create a maker intake form for new app and flow requests
When someone wants to build something new, they should fill out a brief intake form: business problem, expected users, data sources required, and target environment. This gives your CoE visibility into what's being built before it's live — and creates a record that makes future support much easier.
#10
Document your CoE team structure and point-of-contact assignments
Every maker should know who to call for what. Who handles DLP exception requests? Who approves production deployments? Who owns the CoE community? Publish a simple one-page contact map. The alternative is every question landing in the same inbox — and nothing getting answered fast enough.

GovIQ tracks CoE governance health across all 30 of these dimensions and surfaces gaps before they become incidents. See it in action →

Category 3 of 6 — Items 11–15
Monitoring
You inherited a tenant. You need to know what's in it. Run your first inventory before you make any other governance changes — you can't prioritize what you can't see.
#11
Run your first app inventory using the CoE Starter Kit or admin connectors
Microsoft's free CoE Starter Kit gives you an immediate view of every app, flow, and connector in your tenant. Install it in your dedicated CoE environment and run the first data sync. You'll likely find apps you didn't know existed — and flows running against connectors you thought were blocked.
#12
Audit existing flows for critical business processes running without oversight
Sort your flow inventory by run count. The flows with the highest activity are almost certainly running critical business processes — approvals, notifications, data syncs. Identify the top 20 by volume. Do they have owners? Are they documented? Do they have error handling? Undocumented critical flows are your highest-risk governance gap.
#13
Identify apps with 10+ active users (your crown jewels)
High-usage apps are business-critical even if nobody called them that. Find every app with more than 10 monthly active users. These need an assigned owner, a support path, and a change management process. If the person who built them leaves tomorrow, someone needs to be able to maintain them. Right now, can they?
#14
Establish a weekly usage report for your leadership stakeholders
Leadership doesn't want to log into the admin center. They want a weekly summary: active makers, app usage trends, governance incidents, and new builds in the pipeline. Set this up as a scheduled Power BI report or even a manual email summary — but commit to the cadence. Visibility builds trust and protects your budget.
#15
Set up alerts for flows running against premium connectors
Premium connectors have licensing implications. Every flow that uses one needs a per-user or per-flow license. Configure alerts (via Power Automate or the CoE Starter Kit) when new flows trigger premium connectors. Discovering unlicensed premium usage in an audit is significantly worse than catching it in week two.
3.2x
More Power Platform apps in production than IT teams are aware of, on average
Forrester Research: Citizen Development State of Practice, 2025
Category 4 of 6 — Items 16–20
Security
Power Platform's open-by-default model is a feature for makers and a liability for CoE leaders. Tighten these five settings before anything else goes live.
#16
Review and lock down sharing settings — disable "share with entire org" by default
By default, makers can share apps with the entire organization with a single click. That's fine for a low-sensitivity internal tool — catastrophic for an app that processes HR data. Set the default to require explicit security group sharing. Makers who need broader access can request it through the intake process.
#17
Enforce connector allow-lists for production environments
Production environments should have the most restrictive connector policy. Define an explicit allow-list of connectors permitted in production — typically your core Microsoft 365 stack plus approved business connectors. Any connector not on the list requires a formal exception request with business justification and security review.
#18
Create a data classification policy defining what can go in which environment
Different data types belong in different environments. PII and confidential business data belong only in production environments with full security controls. Public or internal-only data can go in development. Sandbox should never hold real data. Write this as a one-page policy and share it with all makers. Without it, classification decisions default to whatever feels right — which is never consistent.
#19
Enable Microsoft Purview integration for compliance monitoring
If your organization uses Microsoft Purview (formerly Compliance Manager), connect it to your Power Platform tenant. This gives you DLP policy violation alerts, sensitivity label enforcement, and audit trail integration — all of which you'll need if you're ever in a compliance review. The integration takes under an hour to configure and pays dividends immediately.
#20
Establish a process for handling departing employee app ownership transfers
When an employee leaves, their flows stop running and their apps become orphaned — unless you catch it first. Create a checklist in your offboarding process: identify owned apps and flows, transfer ownership to an active team member, verify nothing breaks. Build this into HR's standard offboarding. You will need it sooner than you think.
Category 5 of 6 — Items 21–25
Communication
Governance without communication is just restriction. Makers need to understand the rules, know how to get help, and feel like the CoE is an enabler — not an obstacle.
#21
Publish your governance policy document — even a 2-page draft counts
You don't need a 50-page governance manual. You need something makers can read in 10 minutes that answers: What can I build? Where? With which connectors? How do I get help? Write a two-page draft, publish it to your CoE SharePoint, and share the link in your maker community. Perfect is the enemy of shipped — get version 1.0 out this week.
#22
Stand up a CoE feedback and request channel
Makers need a place to submit connector exception requests, new environment requests, and governance feedback. A dedicated Teams channel or a simple Power Apps form works. The channel itself isn't the point — the signal it sends is. It says: the CoE is listening. That matters more than you might think when you're trying to build a community of engaged makers.
#23
Send your first "State of Power Platform" update to leadership
By end of week one, you have enough data from your inventory to write a brief executive summary: number of active apps, number of active makers, key governance gaps you've identified, and your plan to address them. This establishes you as a data-driven leader before you've made a single governance change. Leadership doesn't need details — they need to see that someone's in charge.
#24
Create a maker newsletter template for monthly CoE updates
Monthly communication to your maker community keeps governance visible without being annoying. Template sections: new approved connectors this month, governance tips, featured maker spotlight, upcoming training. You don't need to send the first one this week — but creating the template forces you to think about what makers actually need to hear from the CoE.
#25
Build a decision tree: "Should I build this in Power Platform?"
Not every problem is a Power Apps problem. Build a simple decision tree that helps makers evaluate: Is this a repetitive process? Does it involve structured data? Does it cross department boundaries? A good decision tree reduces low-value builds, improves solution quality, and positions the CoE as a strategic advisor — not just a gatekeeper.
Category 6 of 6 — Items 26–30
Measurement
CoEs that don't measure their impact don't survive budget season. Define your KPIs, set baselines, and build the reporting infrastructure before anyone asks for it.
#26
Define your 3–5 core CoE KPIs
Common high-signal CoE KPIs: (1) active makers per month, (2) apps deployed to production this quarter, (3) governance violations caught vs. escaped, (4) maker community engagement rate, (5) support ticket deflection rate. Pick the three that best represent your CoE's value proposition to leadership. More than five and no one tracks them.
#27
Set baseline metrics before any new governance changes take effect
You cannot prove your governance changes made things better unless you know where you started. Document your baseline: current active maker count, app inventory size, number of DLP violations in the past 30 days, and maker community size. Write it down, date it, and file it. This is your before photo — and you'll want it when you write your first quarterly governance report.
#28
Build a CoE health dashboard in Power BI or the CoE Starter Kit
The CoE Starter Kit ships with pre-built Power BI dashboards. Publish them. Even if the data is incomplete, having a live dashboard signals to stakeholders that governance is being actively managed — not just discussed. You'll refine the metrics over time. The discipline of maintaining a dashboard shapes your governance habits more than any policy document.
#29
Schedule quarterly governance reviews with stakeholders
Book the meetings now, before the calendar fills. Quarterly governance reviews serve two purposes: they force you to prepare a summary of CoE progress, and they give stakeholders a regular checkpoint to raise concerns before they become crises. The agenda is simple: what changed, what improved, what needs attention, what's next. 45 minutes per quarter is all you need.
#30
Create your first "governance wins" report to build executive credibility
By end of week one, you've completed the first inventory, set baseline metrics, published a governance policy, and locked down environment creation. That's a governance win. Write it up as a one-page summary and share it with your CITO or equivalent. Not as a status update — as proof of value. CoEs that communicate wins early build the political capital to enforce governance later.

What Happens After Week One

Finishing this checklist doesn't mean your governance program is done. It means it's started. Week two is where you begin processing the intake requests you created the form for, enforcing the DLP policy you defined, and running the first round of maker onboarding.

The pattern that separates effective CoE leaders from ineffective ones isn't sophistication — it's consistency. Weekly reports sent on time. Quarterly reviews that actually happen. Maker community questions answered within 24 hours. The 30 items on this list create the infrastructure for that consistency.

"The CoEs that succeed aren't the ones with the most elaborate governance frameworks. They're the ones that do the basics relentlessly well — show up for makers, measure what matters, and communicate clearly to leadership."

A few things to watch for as you move into week two:

  • Pushback on DLP policies — expect it. Have data ready on why the policy exists. "Because security said so" loses every time. "Because this connector class was responsible for 3 data incidents last year" wins.
  • The inventory surprise — most CoE leaders discover 2-3x more apps and flows than they expected. Don't panic. Prioritize by usage volume and business criticality. You don't need to govern everything in week two — you need to govern the crown jewels first.
  • The maker who goes around you — someone will try to build in a personal environment to avoid your governance controls. Address it directly and quickly. Ignored workarounds become precedents.

Tools That Accelerate This Work

You don't have to build all of this from scratch. Microsoft's CoE Starter Kit covers items 11–15 (monitoring) and 26–28 (measurement) out of the box. It's free, it's maintained by Microsoft, and it deploys into your own environment. If you haven't installed it yet, that's your first task after publishing your governance policy.

For the community and communication side (items 8, 21–25), Viva Engage or a structured Teams deployment gives you the infrastructure. The hard part isn't the tool — it's the consistency of moderation and response.

Where most CoEs fall short isn't tooling. It's the measurement and reporting layer — translating raw governance activity into business-language KPIs that stakeholders actually care about. That's where platforms like GovIQ close the gap between a working governance program and a visible one.

See how GovIQ tracks your CoE governance health

GovIQ monitors all 30 governance dimensions — active makers, DLP compliance, app inventory health, and CoE KPIs — and surfaces the gaps before they become incidents.

Request a Demo →