Power Platform DLP Policies determine which data connectors can be used by apps & flows in an environment and which connectors are blocked. They are essential to put in place for every environment. DLP Policies prevent makers from accidentally exposing data to 3rd party services that should not have it. In this article I will share 8 Power Platform DLP Policy best practices and help you build a strategy to prevent data-leakage.
1. Safeguard The Default Environment With A Restrictive DLP Policy
All users with a standard Power Apps/Power Automate license have access to the default environment with the Environment Maker role assigned. Many arrive at the default environment with no prior-training. They cannot be blocked from creating apps or flows so it is important to restrict their capabilities.
Move all non-blockable connectors to the business category.
Then move all blockable connectors to the blocked category.
Set the default group for the default environment to blocked. Any new connectors will automatically blocked unless they are non-blockable.
Apply the DLP Policy to only the default environment.
2. Set A Power Platform DLP Policy For Each New Environment
Every environment should have a DLP Policy in place before makers start to use it. When a new environment is requested, start by moving all non-blockable connectors to the business category. Then work with the environment owner to identify any additional connectors that are required (example: Salesforce, SQL Server, etc.) and move them to business as well. Move the remaining connectors to blocked.
Set the default group for the new environment to blocked.
3. Fine-Tune Connector Endpoints And Actions
All blockable connectors can specific actions blocked while allowing others. Others can also allow or deny specific endpoints. Consider limiting usage whenever moving a blockable connector into the business category.
In this example, the SQL Server connector is only allowed to access one endpoint. The idea of what an endpoint is differs for each connector (example: HTTP, Dataverse, Blob Storage, etc.).
Consider granting read-only access to a datasource using connector actions when users do not have a requirement to insert, update or delete data.
4. Use A Shared Power Platform DLP Policy For DEV-TEST-PROD Environments
New apps and flows should be created in a development environment. Then, they should undergo testing in a test environment and finally be released into a production environment. Include dev, test and prod environments in the same policy to ensure they are always subject to the same conditions.
5. Check Before Changing The DLP Policy For An Existing Environment
If a data policy changes after apps & flows have already been developed, it runs the risk of breaking them. The Power Platform Center Of Excellence Starter Kit includes a useful Power Apps app named DLP Editor. Run an impact analysis before switching the data policy to see which specific apps & flows will break. Then inform their creators and find a resolution.
6. Create A Blanket Power Platform DLP Policy For The Entire Tenant
A tenant-wide DLP Policy should be created for the sole purpose of blocking any potentially dangerous connectors in all environments. Do not be overly restrictive here. Blocking too many connectors at the tenant level will harm makers and make administration harder. Only block individual connectors on a case-by-case basis.
The blanket DLP policy will stack on top of the individual environment DLP policies. When one DLP Policy allows a connector and the other DLP Policy blocks a connector, the most restrictive policy wins.
Move all connectors to the business category.
Move individual connectors identified as risky into the blocked category.
Set the default group to business. Any new connectors added will automatically appear in the business category.
Choose add all environments when defining the scope.
7. Update The Governance Error Message With An Admin Contact
When a maker saves an app or flow that is not DLP Policy compliant they will receive a governance error message. Use PowerShell cmdlets to update the governance message and let makers know who they should contact to resolve the issue.
This PowerShell script was used to create the message above. Consider setting up a Microsoft Form and linking it in the governance message to collect requests for DLP Policy changes.
New-PowerAppDlpErrorSettings -TenantId 'TenantId' -ErrorSettings @{
ErrorMessageDetails = @{
enabled = $True
url = "https://contoso.org/governanceMaterial"
}
ContactDetails= @{
enabled = $True
email = "admin@contoso.com"
}
}
8. Do Not Use Power Platform DLP Policy Resource Exemptions
Apps and flow can be exempted from DLP Policies using these PowerShell cmdlets. Do not grant exemptions. If a resource requires a different DLP Policy consider moving it into another environment.
Comments