Introduction
When I was studying for PL-600 last month, a fresh seed ☘️ of curiosity was planted in my mind. I stumbled upon different security areas that were new to me, Data Loss Prevention (DLP) being one of them. As I was studying through the materials, I ran into multiple great posts about it. See related links.
TLDR
- DLP is specifically for Connectors.
- Three classifications for applying rules/policies to connectors, Business, Non-Business and Blocked.
- Business = Non-Business, except connectors in Business can only be used together with other connectors that are also in the same group.
- Blocked, you won’t be able to use this connector at all.
- DLP can prevent certain connectors to be used within the same process.
- You can allow/disallow certain actions within a connector.
What?
Microsoft describes DLP as a way to “…prevent users from unintentionally exposing organizational data” 🤐. Note that this refers to connectors. What does this mean?
As you may, or may not, know… the Connectors are available to Power Automate, Power Apps and Logic Apps. When using these services, you have option to integrate multiple different connectors within the same process. What DLP does is to ensure 👷♂️ that you, the creator, don’t unintentionally (or intentionally 🥷) expose the data to the other services. In my examples below, I am using Power Automate.
What do I mean by expose? A concrete example would be you retrieve data from Dataverse and send it to a Sharepoint (using its connector) or vice versa, for whatever reason.
After applying DLP with Microsoft Dataverse with business classification and leaving SharePoint in non-business, as shown below. An error ❌ in flow checker will be displayed.
As Alex Shlega pointed out, some connectors are configurable on action level. Meaning, you can block/allow certain actions.
Tip
When creating a new policy, the default setting will assign all connectors as non-business. Ideally, you should assign all of them to blocked and move them separately to business/non-business based on your business needs. That way, you can ensure that there won’t be any unintentionally exposure. See screenshots below to move all connectors (that can be moved to blocked, some are not blockable) to blocked.
Last words
So basically, Data Loss Prevention may prevent you from using connector X and Y within the same process/flow or strip certain actions.
- https://www.matthewdevaney.com/8-power-platform-dlp-policy-best-practices/
- https://www.itaintboring.com/dynamics-crm/data-loss-prevention-policies-in-power-platform-quick-recap/
Happy Data Loss Prevent-ing!