Updates coming to Power Platform Data Loss Prevention

MC210568, Stay Informed, Published date: Apr 23, 2020

Starting April 22nd 2020, Power Apps and Power Automate Data Loss Prevention (DLP) policies will support the following new features. The release status of these features is in Public Preview.

  1. Ability to block connectors (in addition to existing ability to classify connectors as ‘Business’ or ‘Non-business’) through Data Loss Prevention (DLP) policies
  2. Ability to configure DLP Policies using Power Platform admin center
  3. Ability to classify HTTP connectors using DLP UX in Power Platform admin center

Legacy two-way DLP support (Business and Non-Business) and legacy DLP UX in Power App and Power Automate admin centers will continue to be supported for the foreseeable future.

Detailed documentation of these new capabilities will be made available here, as the capabilities roll out to production.

Altogether these features provide powerful new controls and functionality to structure Data Loss Prevention policies for your tenant and/or environments. As Power Platform admin you should leverage these capabilities as needed. As you roll out any new restrictions leveraging these features, you should also anticipate support requests from Power Platform makers and users in your organization that may get negatively impacted.

What are Data Loss Prevention Policies?
Please visit this site for more information on the Data Loss Prevention policies.

DLP policies enforce rules of what connectors can be used together by classifying connectors as either ‘Business’ or ‘Non-business’. Simply put, if you put a connector in the ‘Business’ group, it can only be used with other connectors from that group in the same app or flow. Sometimes you may want to block the usage of certain connectors altogether by classifying them as ‘Blocked’. In this scenario the connector cannot be used by apps and flows. DLP policies can be created from the Power Platform admin center. They impact Power Platform canvas apps and Power Automate flows.

What specifically is changing – Connector Blocking capability
Up until recently admins could categorize connectors as ‘Business’ or ‘Non-Business’ but not mark the connectors as ‘Blocked’ to prevent their tenant or environment from using a connector altogether. With the new DLP feature we have now added this support as a key capability in Power Platform. Admins can now target exposing the perceived high-risk connectors to only select environments that may only be open to a small subset of makers.

Admins can restrict data flow to a specific service by marking the corresponding Power Platform connector as ‘Blocked’. For example, if you place ‘Facebook’ connector in the Blocked group using DLP, makers can no longer create a PowerApps or Power Automate resource that uses Facebook connector. This effectively blocks data flows to Facebook service through the Power Platform. All 3rd party connectors can be blocked. All Microsoft owned Premium connectors (except Common Data Service) can be blocked. Only Microsoft owned Standard connectors and Common Data Service cannot be blocked using DLP.

These new features are also accessible through the new DLP PowerShell cmdlets added to the PowerApps admin PowerShell module viz. – New-DlpPolicy, Remove-DlpPolicy, Get-DlpPolicy, Set-DlpPolicy.

What specifically is changing – New DLP UX in PPAC
Admins can now use the new DLP UX in Power Platform admin center to configure DLP Policies, which facilitates multiple usability improvements over the legacy admin center experience:

  1. Provides a guided wizard like experience for admins to navigate the steps involved in defining DLP policies
  2. Adds connector blocking capability enabling three-way grouping for connectors using a single DLP policy – Business, Non-Business and Blocked
  3. Prompts admins to provide a meaningful name for their DLP policies
  4. Adds list view for connectors with useful information such as Publisher, Standard vs. Premium, Link to connector documentation etc. This additional information helps admins to make the right classification decision about the connectors with regard to their DLP policy
  5. Facilitates sorting and searching on various fields associated with the connectors. Also enables multi-select and bulk-select capability to move connectors easily across the three classification groups.
  6. Adds list view for environments with useful information such as Region, Type, Created By etc. This additional information helps admins to make the right classification decision about the environments with regards to their DLP policy
  7. Facilitates sorting and searching on various fields associated with the environments. Also enables multi-select and bulk-select capability to move environments easily across including or excluding them from the DLP policy
  8. Facilitates incremental loading of environments lists for enterprises with hundreds and thousands of environments thus addressing some key scale issues with legacy UX
  9. Provides summary view of DLP policies for review before committing your changes

What specifically is changing – HTTP Connector Parity
Another key parity gap we are closing is with the HTTP connectors viz. HTTP, HTTP Webhook and When a HTTP request is received connectors. These are built-in connectors for Power Automate and before this update it was not possible for admins to define DLP policies for them using the admin center DLP UX. With this update admins can now configure DLP policies for these three connector types similar to other Power Platform connectors.