Power Platform DLP policies you should be considering on Day 1

Data Loss Prevention, Power Platform 2 Minutes

Protecting your organisations data is a big topic and as you would expect, Microsoft are putting a lot of focus into this area.

However, an area that is often overlooked is within the Power Platform. Security teams are typically focused on M365 Security and Compliance: Retention Polices, DLP, AIP, Labelling etc – and this is all good stuff – but what about people moving data (internally and externally) using Power Apps and Power Automate?

In an earlier post I wrote about the concept of using Power Platform Environments (Have you defined your Power Platform Environment Strategy?) for Application Lifecycle Management (ALM) purposes and provided some examples of when it might be appropriate to build out from the single Default Environment that is created for each and every tenant. I purposely kept this simple and excluded other factors that may influence or complicate matters further, however DLP Policies may influence your strategy.

To follow on from that post, and assuming the concept of ‘Environments’ is better understood, the next step is to ensure your Power Platform is secure. This is where Power Platform DLP (Data Loss Prevention) policies come into play (NOT – Microsoft 365 DLP)!

Why do I need to consider DLP?

Out of the box, there are some 340+ ‘connectors’ which allow you to connect Power Apps and Power Automate to other services. These services include the Microsoft “Standard” connectors (some 25+) such as SharePoint and Outlook and “Premium” connectors which connect to other line of business applications such as Google G-Suite, Box.com and DocuSign, which require you to have either existing credentials or a subscription to authenticate to them.

So why are DLP policies important then? And why do I need to consider from day 1?

The Power Platform opens up the option for users to create ‘Personal Productivity Applications’ and move data around, such as a user creating a Power Automate Flow to box.com which is triggered on a SharePoint library that copies every document that is created or updated!

My recommendation

It can get relatively complicated when defining your DLP policies, and certainly a consideration that plays a part of defining your Power Platform Environment Strategy, but my recommendation for a day 1 policy is to block everything you can (Note: you can’t block the Microsoft connectors!) and only allow access where there is a justifiable business reason.

If you want to get clever, then creating DLP policies that are deployed to specific Power Platform Environments and allow access to a single connector such as DocuSign solely for the purpose of a Power Automate solution that runs on your Contracts Management document management site, would be an option.

How do you create a DLP Policy?

From the Power Platform Admin Centre – Click on Data polices and click New Policy. Give your new policy a name.

Note: To create a DLP policy, you need to be a tenant admin or have the Environment Admin role.

Define which connectors you want to include in your policy.

Specify how you want this policy to be deployment. In the scenario of allowing a single business application to use a non-Microsoft connector, you would use the ‘Add multiple environments’ option to allow you to select the specific environment(s).

Publish your policy.

Note: DLP policies enforce rules for which connectors can be used together by classifying connectors as either Business or Non-Business. If you put a connector in the Business group, it can only be used with other connectors from that group in any given app or flow.

Published by Aaron

I am an experienced, commercially aware, Microsoft 365 Solution Architect / Technology Leader with a strong and demonstrable background within the Collaboration, Productivity and Low-Code / Pro-Code Development platforms of Microsoft 365 and Azure. With over 15 years of experience working with Microsoft technology, I have worked with many organisations - from SMEs through to Enterprise, working to digitally transform their businesses with the successful implementation and adoption of Microsoft 365 and Azure products. This includes managing the lifecycle of the project from visioning exercises, discovery, solution design through to implementation and user adoption and change management strategies. More recently, my current roles include: Technology Development: - Development and implementation of the company’s technical strategy - Implementation of products and services relevant to the Microsoft Business Applications, Modern Workplace and Development technology areas within Microsoft 365 - Manage and develop technical media assets, including product Service Catalogues and GTM related content - Monitor and evaluate new technology and make recommendations for required technological solutions - Deliver technical marketing activities, ensuring events are suitably presented with appropriate content. Pre-Sales: - Manage and deliver Pre-Sales activities - Review and approve sales proposals, for the viability and appropriateness of proposed solutions - Understand and interpret requirements and provide deliverable solutions based on the product portfolio - Provide technical input and validation during the creation of Sales proposals, and in response to RFIs / RFPs.

Published

3 thoughts on “Power Platform DLP policies you should be considering on Day 1

  1. I have to disagree with your example. Putting connectors in the Business and Non-Business only stops you mixing Business connectors with non business connectors. You can have all of the connectors in non-business and can still use them individually. What DLPs do stop is allowing you to use one connector in Business with a connector in non-business. If you want to stop users using a connector all together, you can put it into “Blocked”. However, if it is a Microsoft non-premium connector or a Microsoft Hosted Connector, then you cannot block it.

    Like

    Reply

    1. Hi Nigel. Appreciate you taking the time to read.

      Perhaps I didn’t make it clear enough in the images, but I’ve moved all the ‘blockable’ connectors into ‘blocked’ and moved the non-blockable ones to ‘Business’ – however, you’re right, this step isn’t needed, but it does keep it ‘clean’.

      Like

      Reply
  2. Pingback: Implementing a Power Platform Centre of Excellence – Aaron Rendell

Leave a comment