René's URL Explorer Experiment

    {"@context":"http://schema.org","@type":"Article","mainEntityOfPage":{"@type":"WebPage","@id":"https://dev.to/wyattdave/power-platform-dlp-policies-5go2"},"url":"https://dev.to/wyattdave/power-platform-dlp-policies-5go2","image":["https://media2.dev.to/dynamic/image/width=1080,height=1080,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj8na7e58k1r5z6lfhiag.png","https://media2.dev.to/dynamic/image/width=1280,height=720,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj8na7e58k1r5z6lfhiag.png","https://media2.dev.to/dynamic/image/width=1600,height=900,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj8na7e58k1r5z6lfhiag.png"],"publisher":{"@context":"http://schema.org","@type":"Organization","name":"DEV Community","logo":{"@context":"http://schema.org","@type":"ImageObject","url":"https://media2.dev.to/dynamic/image/width=192,height=,fit=scale-down,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8j7kvp660rqzt99zui8e.png","width":"192","height":"192"}},"headline":"Power Platform - DLP Policies","author":{"@context":"http://schema.org","@type":"Person","url":"https://dev.to/wyattdave","name":"david wyatt"},"datePublished":"2024-04-01T06:48:16Z","dateModified":"2026-01-10T15:40:34Z","mainEntity":{"@type":"DiscussionForumPosting","@id":"#article-discussion-1791484","headline":"Power Platform - DLP Policies","text":"\u003cp\u003e\u003cstrong\u003eD\u003c/strong\u003eata \u003cstrong\u003eL\u003c/strong\u003eoss \u003cstrong\u003eP\u003c/strong\u003erevention Polices are the corner stone to protecting your Power Platform environments. They put controls on how data can flow in and out of the environment, protecting you from data leaks. Every Power Platform needs a well planned DLP strategy, it's not just a setup and forget, but requires continuous review.\u003c/p\u003e\n\n\u003cp\u003eThere are two levels, Tenant and Environment. The Tenant level is the key one, as it supersedes the environment policies. Your Tenant level is you wall and has to be setup correctly, environment level can then trim down permissions on an environment level (but not increase).\u003c/p\u003e\n\n\u003cp\u003eI want to talk about how it works, strategy and maintenance. If you already know all about it jump to \u003ca href=\"#strategy\"\u003estrategy\u003c/a\u003e and \u003ca href=\"#maintain\"\u003emaintenance \u003c/a\u003e\u003c/p\u003e\n\n\n\u003chr\u003e\n\n\u003ch2\u003e\n  \u003ca name=\"how-it-works\" href=\"#how-it-works\"\u003e\n  \u003c/a\u003e\n  How it Works\n\u003c/h2\u003e\n\n\u003cp\u003eThere are 3 main areas to configuring your DLP\u003c/p\u003e\n\n\u003col\u003e\n\u003cli\u003eConnectors\u003c/li\u003e\n\u003cli\u003eCustom Connectors\u003c/li\u003e\n\u003cli\u003eConnector Configuration \u003c/li\u003e\n\u003c/ol\u003e\n\n\u003ch3\u003e\n  \u003ca name=\"1-connectors\" href=\"#1-connectors\"\u003e\n  \u003c/a\u003e\n  1. Connectors\n\u003c/h3\u003e\n\n\u003cp\u003eThere are over 1000 connectors (and growing) available, the DLP allows you to group these connectors and apply controls on them, there are 3 buckets\u003c/p\u003e\n\n\u003cp\u003e\u003cstrong\u003eBusiness\u003c/strong\u003e\u003cbr\u003e\nThese should be any connectors that use your business data \u003cbr\u003e\n\u003cstrong\u003eNon Business\u003c/strong\u003e\u003cbr\u003e\nAny you want to be able to be used but not directly access your data\u003cbr\u003e\n\u003cstrong\u003eBlocked\u003c/strong\u003e\u003cbr\u003e\nConnectors you don't want people to use \u003c/p\u003e\n\n\u003cp\u003eBusiness and Non business work by enforcing they only work with connectors in the same bucket. So if SharePoint is in Business and Twitter/X is in Non Business then they cant be in the same flow. And before you think you could call a child flow to get around it, that is covered too.\u003c/p\u003e\n\n\u003cp\u003e\u003ca href=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw7jc1j32tq658gnfjmzq.png\" class=\"article-body-image-wrapper\"\u003e\u003cimg src=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw7jc1j32tq658gnfjmzq.png\" alt=\"child flow dlp\" loading=\"lazy\" width=\"800\" height=\"67\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003eA call out here is that there are 24 connectors you can't block (All Microsoft)\u003c/p\u003e\n\n\u003cp\u003e\u003ca href=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8c3cym9cupiqaxdos73c.png\" class=\"article-body-image-wrapper\"\u003e\u003cimg src=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8c3cym9cupiqaxdos73c.png\" alt=\"non block connectors\" loading=\"lazy\" width=\"800\" height=\"397\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003ch3\u003e\n  \u003ca name=\"2-custom-connectors\" href=\"#2-custom-connectors\"\u003e\n  \u003c/a\u003e\n  2. Custom Connectors\n\u003c/h3\u003e\n\n\u003cp\u003eFor custom connectors the connector is not add to one of the buckets, but the url it uses is.\u003c/p\u003e\n\n\u003cp\u003eThere are 4 settings for a custom connector url:\u003c/p\u003e\n\n\u003cul\u003e\n\u003cli\u003eBlocked\u003c/li\u003e\n\u003cli\u003eNon Business\u003c/li\u003e\n\u003cli\u003eBusiness\u003c/li\u003e\n\u003cli\u003eIgnore\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cp\u003eAs you can see there is an additional option from the buckets, ignore. This option defers the bucket to the tenant policy (policy covering all environments). If you don't have a policy it will default to both business and non business (it can't be set to specific urls, only all - * ).\u003c/p\u003e\n\n\u003cp\u003eThe policies are enforced in order, so below will the \u003ccode\u003eapi.consto.com\u003c/code\u003e is above the block all so will be allowed.\u003c/p\u003e\n\n\u003cp\u003e\u003ca href=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fava9xlocwb2j2fhdu9rn.png\" class=\"article-body-image-wrapper\"\u003e\u003cimg src=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fava9xlocwb2j2fhdu9rn.png\" alt=\"dlp custom connectors\" loading=\"lazy\" width=\"800\" height=\"247\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003ch3\u003e\n  \u003ca name=\"3-connector-configuration\" href=\"#3-connector-configuration\"\u003e\n  \u003c/a\u003e\n  3. Connector Configuration\n\u003c/h3\u003e\n\n\u003cp\u003e\u003ca href=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F69v6nhq44un2kizkw6nz.png\" class=\"article-body-image-wrapper\"\u003e\u003cimg src=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F69v6nhq44un2kizkw6nz.png\" alt=\"connectors to configure\" loading=\"lazy\" width=\"800\" height=\"318\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003eSelected connectors have additional options, the 2 main ones are the HTTP connector (this allows you to configure it like a custom connector).\u003c/p\u003e\n\n\u003cp\u003e\u003ca href=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmr5ffyc3v7go7poaybmc.png\" class=\"article-body-image-wrapper\"\u003e\u003cimg src=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmr5ffyc3v7go7poaybmc.png\" alt=\"http endpoints\" loading=\"lazy\" width=\"800\" height=\"410\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003eAnd the SQL connectors, which have the same url/endpoint controls but also the option to control what actions are allowed (e.g you could set it to read only and block editing)\u003c/p\u003e\n\n\u003cp\u003e\u003ca href=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furq4a2qlu7pdfb5nybx8.png\" class=\"article-body-image-wrapper\"\u003e\u003cimg src=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Furq4a2qlu7pdfb5nybx8.png\" alt=\"sql action controls\" loading=\"lazy\" width=\"800\" height=\"518\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\n\u003chr\u003e\n\n\u003ch2\u003e\n  \u003ca name=\"strategy\" href=\"#strategy\"\u003e\n  \u003c/a\u003e\n  \u003cspan id=\"strategy\"\u003eStrategy\u003c/span\u003e\n\u003c/h2\u003e\n\n\u003cp\u003eThere are 2 main DLP strategies, shared and bespoke. Shared creates a standard policy that covers all environments, so if a connector is approved in one it is approved in all. Bespoke is the opposite, with each environment stack having its own policy. This works if you have business dept stacks, e.g you have finance environments and only that environment can access the finance custom connector.\u003c/p\u003e\n\n\u003cp\u003eFor ease of maintenance I prefer the shared approach, managing multiple policies wouldn't be too bad if they were static, but with continued new ones it can become a nightmare (Microsoft is introducing DLP groups but its still not perfect). I also don't like using DLP as access control to a api, that should be done at the api level. So I would rather everyone can call the api but only authorized users can use it (if you got lazy and just used the DLP then the api could be vulnerable to postman and other clients).\u003c/p\u003e\n\n\u003cp\u003eIn my shared structure I have 3 groups\u003c/p\u003e\n\n\u003cp\u003e\u003cstrong\u003eDefault (Personal Productivity)\u003c/strong\u003e\u003cbr\u003e\nThis is the most restricted policy, and covers all new environments unless they are opted out of the policy). I believe the default should only be for personal solutions (as there is no ALM and minimum governance), so that should limit the policy to non blockable connectors (basically Microsoft), everything else blocked. There is one exception, Dataverse, it can not be blocked but I don't want people using for personal solutions. So my workaround is for it to be on its own in the Non Business bucket. This way it can not be used in a flow with any other connector, making it practically unusable.\u003c/p\u003e\n\n\u003cp\u003e\u003cstrong\u003eStandard\u003c/strong\u003e\u003cbr\u003e\nThis covers all of your standard managed environments, it has additional connectors approved over the Default (as it has ALM and additional controls like intake and security reviews). It is split into 3, with a Dev, Test and Prod version. They are all the same except for the Custom Connector and Connector settings. In dev only dev versions of the api's are allowed, test test versions and prod prod. This way no one can use Test as pseudo prod and you are ensuring developer doesn't accidentally delete production.\u003c/p\u003e\n\n\u003cp\u003e\u003cstrong\u003eInnovation\u003c/strong\u003e\u003cbr\u003e\nThis is your most open policy and it should be set to just one innovation environment. This has allows any url in custom connectors and connector config. It also has all of the usually blocked connectors set to Non Business, allowing people to test and explore. It's better to see if something is even possible before going through all of the reviews and documentation.\u003cbr\u003e\nAs it's so open I add on additional controls, mainly share limits for Apps (through managed as if any environment should be this one should), and a scheduled flow that turns off all flows on the environment (I also run this against all dev environments to stop pseudo prod).\u003c/p\u003e\n\n\u003cp\u003e\u003ca href=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwo1x60lngoyeqnl5xxoo.png\" class=\"article-body-image-wrapper\"\u003e\u003cimg src=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwo1x60lngoyeqnl5xxoo.png\" alt=\"dlp restricted scale\" loading=\"lazy\" width=\"785\" height=\"446\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003eAdditionally you need a strategy for your connectors, there are different ways to approach most connectors, Out the box and Custom. Both have their benefits and it is more of a preference thing (note, this does not cover Microsoft out of the Box connectors, and this is a prefered route, so not to say either is exclusive).\u003c/p\u003e\n\n\u003cp\u003e\u003cstrong\u003eOut of the box\u003c/strong\u003e \u003cbr\u003e\nThis strategy focuses on connectors that others have already created (there are over 1000 and growing). These connectors are often not built by the api owner, but someone from the community.\u003c/p\u003e\n\n\u003cp\u003eBenefits\u003c/p\u003e\n\n\u003cul\u003e\n\u003cli\u003eNo Development time\u003c/li\u003e\n\u003cli\u003eNo ALM required (already in every environment)\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cp\u003eNegatives\u003c/p\u003e\n\n\u003cul\u003e\n\u003cli\u003eNo agreement with developer/owner so don't know exactly what happens to your data\u003c/li\u003e\n\u003cli\u003eNot built to your exact requirement (see \u003ca href=\"https://dev.to/wyattdave/power-platform-connectors-go-custom-47if\"\u003ehere\u003c/a\u003e to understand more) \u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cp\u003e\u003cstrong\u003eCustom\u003c/strong\u003e\u003cbr\u003e\nThis is the opposite to Out of the box, and requires you to create the connector yourself. \u003c/p\u003e\n\n\u003cp\u003eBenefits\u003c/p\u003e\n\n\u003cul\u003e\n\u003cli\u003eExactly what you want (api's have many end points that might not be covered)\u003c/li\u003e\n\u003cli\u003eYou know the end to end data movement, ensuring happy security\u003c/li\u003e\n\u003cli\u003eNot reliant on others schedule for updates\u003c/li\u003e\n\u003c/ul\u003e\n\n\u003cp\u003eNegatives\u003c/p\u003e\n\n\u003cul\u003e\n\u003cli\u003eRequires development time\u003c/li\u003e\n\u003cli\u003eRequires a ALM strategy to move the connector between Dev/Test/Prod\u003c/li\u003e\n\u003c/ul\u003e\n\n\n\u003chr\u003e\n\n\u003ch2\u003e\n  \u003ca name=\"maintenance\" href=\"#maintenance\"\u003e\n  \u003c/a\u003e\n  \u003cspan id=\"maintain\"\u003eMaintenance\u003c/span\u003e\n\u003c/h2\u003e\n\n\u003cp\u003eAs I said your DLP policy is a continuing process, with new connectors released, version 2 launches and internal development. Having a process is key to keeping everything secure.\u003c/p\u003e\n\n\u003cp\u003eI always recommend to set your new connectors to blocked (a setting in the DLP policy).\u003c/p\u003e\n\n\u003cp\u003e\u003ca href=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1y8b3he7h467py7put6t.png\" class=\"article-body-image-wrapper\"\u003e\u003cimg src=\"https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1y8b3he7h467py7put6t.png\" alt=\"default new connectors\" loading=\"lazy\" width=\"800\" height=\"341\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003eFor any connector to move out of blocked I have 2 options\u003c/p\u003e\n\n\u003cp\u003e\u003cstrong\u003eSolution Requirement\u003c/strong\u003e\u003cbr\u003e\nIn this case a specific solution requires the connector/url to be approved (nearly all custom connectors take this route). The solution owner ensures the connector goes through security review and passess all nfr's. The connector can not be approved specifically for the solution, its safe for all or none. This approach ensures that the api is fully secure separately from the Power Platform.\u003c/p\u003e\n\n\u003cp\u003e\u003cstrong\u003ePlatform Requirement\u003c/strong\u003e\u003cbr\u003e\nThis could be because of predicted future needs or corporate changes (e.g. changed from one HR system to another so will have impacts on multiple existing solutions). This should be carried out in a DLP review meeting (regular cadence like every quarter), where security, platform engineers and api owners (not connector but the team who own the api in your organization). I normally recommend 2 different approaches for approving standard connectors. If the connector is owned by the api owner e.g Service Now own the the Service Now connector, then its just a case of checking your contract covers everything. If its an independent then I would explore the documentation uploaded by the publisher \u003ca href=\"https://github.com/microsoft/PowerPlatformConnectors/tree/dev\" target=\"_blank\" rel=\"noopener noreferrer\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\n\n\u003chr\u003e\n\n\u003cp\u003eWithout a secure foundation every platform is destined to fail, so your DLP strategy should be the first thing on your rollout plan.\u003c/p\u003e\n\n","author":{"@type":"Person","name":"david wyatt","url":"https://dev.to/wyattdave"},"datePublished":"2024-04-01T06:48:16Z","dateModified":"2026-01-10T15:40:34Z","url":"https://dev.to/wyattdave/power-platform-dlp-policies-5go2","interactionStatistic":[{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":1},{"@type":"InteractionCounter","interactionType":"https://schema.org/LikeAction","userInteractionCount":19}],"comment":[{"@type":"Comment","@id":"#comment-1162245","text":"\u003cp\u003eWonderful content!!!\u003c/p\u003e\n\n","author":{"@type":"Person","name":"Jaime López","url":"https://dev.to/jaloplo"},"datePublished":"2024-04-01T09:31:40Z","dateModified":"2024-04-01T09:31:40Z","url":"https://dev.to/jaloplo/comment/2e37j","interactionStatistic":[{"@type":"InteractionCounter","interactionType":"https://schema.org/LikeAction","userInteractionCount":2}]}]}}