As anyone familiar with the governance of PowerApps and Power Automate knows, data policies are used to control the flow of data between Business data and Non business data. It’s part of the so-called data loss prevention part of a PowerPlatform environment.
In a nutshell, a data policy allows an administrator to set boundaries. Only connectors which are part of the same data group can be used together. In my example above, SharePoint, Outlook, OneDrive for Business and Azure Container instance can be used together. But you cannot connect your OneDrive for Business to your personal OneDrive or connect Salesforce to Outlook.
There are still some limitations to these DLP-rules, but as of April 20th, 2020 one of these will be gone. At this moment, the DLP rules will be be enforced when a Power App is created. It informs the creator of the app that there’s some problem with the app – it conflicts with a data loss prevention policy.
And this is great. But there’s one great issue. If an admin creates or updates an DLP-rule which effects PowerApps that have already been created, then these rules will not take effect. In other words: the connectors will be able to circumvent the DLP rules. That’s not entirely correct – PowerApps simply doesn’t check.
But from today (April 20th) the new DLP-method is introduced. If a Power App does not comply with a new or adjusted DLP rule, it will not launch and will present the user with a message that there’s a problem. It’s then up to the creator of the app to either adjust the app itself or talk to the admins. Because it might be necessary to either modify the current data policy or move the Power App to a different environment.
This is a nice enhancement for the compliance-side of the PowerPlatform. I’m still looking forward to all the other (promised) enhancements like directional rules (inbound/outbound specific) and the interaction with the new site-classification of SharePoint and Teams. But I like this all the same 🙂