Data Loss Prevention update for the PowerPlatform

Posted by

As anyone familiar with the governance of PowerApps and Power Automate knows, data policies are used to control the flow of data between Business data and Non business data. It’s part of the so-called data loss prevention part of a PowerPlatform environment.

data policy

In a nutshell, a data policy allows an administrator to set boundaries. Only connectors which are part of the same data group can be used together. In my example above, SharePoint, Outlook, OneDrive for Business and Azure Container instance can be used together. But you cannot connect your OneDrive for Business to your personal OneDrive or connect Salesforce to Outlook.

More on this here: https://docs.microsoft.com/en-us/power-platform/admin/wp-data-loss-prevention

There are still some limitations to these DLP-rules, but as of April 20th, 2020 one of these will be gone. At this moment, the DLP rules will be be enforced when a Power App is created. It informs the creator of the app that there’s some problem with the app – it conflicts with a data loss prevention policy.

And this is great. But there’s one great issue. If an admin creates or updates an DLP-rule which effects PowerApps that have already been created, then these rules will not take effect. In other words: the connectors will be able to circumvent the DLP rules. That’s not entirely correct – PowerApps simply doesn’t check.

But from today (April 20th) the new DLP-method is introduced. If a Power App does not comply with a new or adjusted DLP rule, it will not launch and will present the user with a message that there’s a problem. It’s then up to the creator of the app to either adjust the app itself or talk to the admins. Because it might be necessary to either modify the current data policy or move the Power App to a different environment.

This is a nice enhancement for the compliance-side of the PowerPlatform. I’m still looking forward to all the other (promised) enhancements like directional rules (inbound/outbound specific) and the interaction with the new site-classification of SharePoint and Teams. But I like this all the same 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s