Power Platform – Security and Governance: Data Loss Prevention – What is it about?

---

Introduction

---

When I was studying for PL-600 last month, a fresh seed ☘️ of curiosity was planted in my mind. I stumbled upon different security areas that were new to me, Data Loss Prevention (DLP) being one of them. As I was studying through the materials, I ran into multiple great posts about it. See related links.

---

TLDR

---

• DLP is specifically for Connectors.
  • Three classifications for applying rules/policies to connectors, Business, Non-Business and Blocked.
  • Business = Non-Business, except connectors in Business can only be used together with other connectors that are also in the same group.
  • Blocked, you won’t be able to use this connector at all.
• DLP can prevent certain connectors to be used within the same process.
• You can allow/disallow certain actions within a connector.

---

What?

---

Microsoft describes DLP as a way to “…prevent users from unintentionally exposing organizational data” 🤐. Note that this refers to connectors. What does this mean?

As you may, or may not, know… the Connectors are available to Power Automate, Power Apps and Logic Apps. When using these services, you have option to integrate multiple different connectors within the same process. What DLP does is to ensure 👷‍♂️ that you, the creator, don’t unintentionally (or intentionally 🥷) expose the data to the other services. In my examples below, I am using Power Automate.

What do I mean by expose? A concrete example would be you retrieve data from Dataverse and send it to a Sharepoint (using its connector) or vice versa, for whatever reason.

Power Automate: An instant flow that fetches all accounts from Dataverse and creates it in Sharepoint

After applying DLP with Microsoft Dataverse with business classification and leaving SharePoint in non-business, as shown below. An error ❌ in flow checker will be displayed.

Power Platform – Data Loss Prevention: Setting Microsoft Dataverse in business classification.

Power Platform – Data Loss Prevention: Leaving SharePoint in non-business classification.

Power Automate: Trying to save after changes in DLP.

As Alex Shlega pointed out, some connectors are configurable on action level. Meaning, you can block/allow certain actions.

Power Platform – Data Loss Prevention: Column showing if connector can be configurable

Power Platform – Data Loss Prevention: Enable/disable certain actions on connectors.

---

Tip

---

When creating a new policy, the default setting will assign all connectors as non-business. Ideally, you should assign all of them to blocked and move them separately to business/non-business based on your business needs. That way, you can ensure that there won’t be any unintentionally exposure. See screenshots below to move all connectors (that can be moved to blocked, some are not blockable) to blocked.

Power Platform – Data Loss Prevention: Filtering blockable connectors

Power Platform – Data Loss Prevention: Mark all connectors as blockable

---

Last words

---

So basically, Data Loss Prevention may prevent you from using connector X and Y within the same process/flow or strip certain actions.

---

Related Links

---

• https://www.matthewdevaney.com/8-power-platform-dlp-policy-best-practices/
• https://www.itaintboring.com/dynamics-crm/data-loss-prevention-policies-in-power-platform-quick-recap/

Happy Data Loss Prevent-ing!