Is your data secured?

Power Platform comes with the capability to build Applications that connect across multiple data sources and services which include external third party services and even social networks. Is your data secured? Well, I think it is, and I think I am doing what I am allowed to do with my organization’s data.

With the increase in number of connectors, there comes the risk in data leakage.

Currently, with over 230 connectors in PowerApps, there are chances that users might unintentionally expose your organization’s data while connecting to social media connectors or any external 3rd party services that might be a security concern. Is your data secured? Well, I think it is, and I think I am doing what I am allowed to do with my organization’s data. It’s time to secure your organization’s data.

How to prevent this unintentional data leakage?

Secure your organization's data with Data loss prevention policy

PowerApps Administrators can set up and enforce Data loss prevention (DLP) policies in the PowerApps environment to safeguard the data from being exposed to unintended audience. DLP is a rule that while setting up, classifies your data sources(technically the connectors in PowerApps) into two repelling groups as below. Yes! these groups doesn’t talk to each other.

  1. Business data only group
  2. No business data allowed group

By default, all connectors are in No business data allowed group and none are added to the Business data only group. Environment admins or Tenant admins can add connectors to the Business data only group while setting up DLP policy which will isolate the critical business data from non business data connectors.

How does this classification help?

Let’s consider that Dynamics 365 connector is added to the Business data only group and Bing Maps connector is by default in the No business data allowed group. A user have created an App in the environment where the DLP policy is enforced by the administrator and successfully connected to the Dynamics 365 data source which is part of Business data only group. The user now tries to connect to the Bing maps data source, which according to the environment’s DLP policy is not allowed as it is part of No business data allowed group, hence, the user will encounter an error that says, “Using these connections together conflicts with the company data loss prevention policies”.

Error while connecting to a data source

As I mentioned earlier, they are in repelling groups that doesn’t talk to each other to share data which is what you need to secure your data. Let’s see how to set up DLP policies in an environment.

Creating a DLP policy:

To create a DLP Policy, you must be an Environment Admin or a Tenant Admin or an Office 365 Global Admin.

Sign in to the Admin center at https://admin.powerapps.com and you will see Data policies on the left navigation pane.

Click “New policy” on the top right corner.

Create New Policy

 You will see the new Data Policy name auto-populated. I am renaming it to “Safeguard D365 Data”. Choose an environment from the drop-down.

Environment selection

Note: If you are an Environment Admin, you will choose your environment as shown in the above screen. If you are a Tenant Admin, you will be able to

  • Apply to ALL environments
  • Apply to ONLY selected environments
  • Apply to ALL environments EXCEPT

Click “Continue” to proceed with Data groups set up. You will see the empty Business data group and the default No business data allowed group with all available connectors in it.

Data can be shared among data sources within the group itself but not between two groups.

Click “Add” to add connectors to the Business data only group.

“Business data only” and “No business data allowed” – Data Groups

Select the connectors and click “Add connectors”.

Select connectors for Business Data only group

You will see that the selected connectors are added to the Business data only group. At any point in time, a connector can reside in either of the groups and NOT in both groups.

Click “Save Policy”.

You may manage your DLP policy by clicking the “Edit” or “Delete” icon on the right side.

Now that the DLP policy is set up, as a best practice, Administrators may share the policy details with the organization so that users can make decision prior to designing the Apps.

Further reading…

https://docs.microsoft.com/en-us/power-platform/admin/create-dlp-policy

https://docs.microsoft.com/en-us/power-platform/admin/prevent-data-loss

https://docs.microsoft.com/en-us/power-platform/admin/introduction-to-data-groups