New Data Loss Prevention policies for enhanced Power Platform governance available for Public Preview

Microsoft Power Platform continues its focus on bringing you enhanced controls to govern the access to more than 400 external data sources available for the platform. The comprehensive set of Data Loss Prevention (DLP) policies are designed to help you define and enforce rules for how these data sources can be used to build apps, flows and bots, at tenant or environment level.

Today, we are excited to announce that new DLP capabilities are now available for you to use worldwide in Public Preview:

  • Connector Action Control enables admins to easily allow/block specific connector actions for each connector. For example, you could block the Delete row (V2) action for the SQL Server connector.
  • Endpoint Filtering enables admins to properly secure connection endpoints by configuring an ordered list of endpoint patterns to allow/block. Continuing the SQL Server connector example above, you could configure a policy to allow only connections to endpoint, and block everything else.
  • Custom Connector Parity allows tenant admins to apply DLP classification on custom connector URL patterns and allows environment admins to apply DLP on custom connectors in their environment. For example, admins can create an additional rule for a custom connector by creating a new pattern for https://* URL and associate it with the connector.

Connection Action Control

Power Platform already allows admins to govern access to various data sources using DLP policies to classify data connectors into well-known buckets such Business, Non-business or Blocked. This defines if a given connector can be used within an app or flow and which connectors can be used together within these resources As organizations further adopted the Power Platform to solve more complex and diversified business use cases, it became apparent that admins needed ways to further configure DLP policies beyond the classification of connectors. This led to the new capabilities we are announcing today.

Connection action controls are designed to give you fine-grained control over specific actions that are allowed or blocked within a connector. Now you can revisit some of the above heavy-handed settings and leverage the granular control over specific actions to enable reads and block only writes for instance.

For example, an organization may consider a social media connector like Twitter risky, and they would place it in the Blocked category. However, with connector action controls, they can disable the riskier write operations but allow for read actions, safely enabling the connector for use cases that do not involve the threat of data exfiltration.

Graphical user interface, text, application Description automatically generated

Endpoint filtering

By leveraging endpoint filtering, to configure which specific endpoints a connector can interact with. With this release, we enabled endpoint filtering support for commonly used connectors such as HTTP, SQL, Dataverse, SMTP, Azure Blob Storage, and more. Ability to configure an ordered list of endpoint patterns to allow/deny and pattern matching with ‘*’ support are also available.

Like connection action control capabilities, endpoint filtering allows customers to not only turn connector usage on or off but turn it on with restrictions in place so they can use available data sources in a controlled, more secure way. For example, you can use endpoint filtering to govern usage of specific SQL Server instances. Depending on the sensitivity of data stored on various servers, you can allow access to some SQL Server endpoints and deny access to others.

Custom connector parity

Also included in this release are new environment and tenant-level policy support, as well as enhanced user experiences for custom connectors.

Environment admins can now use the intuitive experience in Power Platform admin center, in addition to existing PowerShell commands, to classify individual custom connectors by name for environment level DLP policies. All custom connectors are listed in line with pre-built connectors in the Connectors tab of the Data Policies wizard.

Tenant admins can leverage either Power Platform admin center or PowerShell to classify custom connectors by their Host URL endpoints using a pattern matching construct with ‘*’ support for tenant level DLP policies. A new tab was added in the Data Policies wizard called ‘Custom connectors’, to allow you to specify an ordered list of allow and deny URL patterns for custom connectors.

In addition to above capabilities for enhanced custom connector experience, we also introduced support for admins to classify individual custom connectors by name for environment level DLP policies.  This will enable you to apply the same policy to the services regardless of how many customer connector definitions there are or how they are named.

Get Started

We are confident that this new set of DLP capabilities will help admins to effectively govern the movement of tenant data from AAD authorized data sources to and from Power Platform to effectively guard against data exfiltration risks. Start using these new capabilities today! Here are a few pointers to help you get started: