Introducing HTTP and Custom Connector Support for Data Loss Prevention Policies
Hello Flow Fans!
FIRST! We want to thank Dorian Stubblefield who joined the Flow team as an intern from Washington University in St. Louis for driving the implementation of this feature
And now onto the post!
We have made some recent investments into our Data Loss Prevention (DLP) capabilities. More specifically, we are adding support for HTTP and Custom Connectors to DLP policies Which can be created or modified using PowerShell or the given Flow Templates.
Data Loss Prevention (DLP) policies
Data Loss Prevention (DLP) policies provide an ability to restrict what connectors can be used within the same PowerApp or Microsoft Flow. These policies can be established by either Environment or Tenant Administrators. Each DLP policy includes two data groups: Business and Non-business data. An administrator can choose a default data group to automatically include any new connectors that become available to PowerApps and Microsoft Flow.
HTTP Connector Support
The HTTP actions and triggers up to this point have not been considered connectors. Due to customer feedback, we decided to go ahead and re-categorize those items so they could be subject to DLP to offer customers a greater level of flexibility and control over their environments.
We have added the option to support these triggers/actions when a policy is created or modified using the PowerShell cmdlets or given Flow Templates. More specifically, you can now manage:
- HTTP (and HTTP + Swagger)
- HTTP Webhook
- HTTP Request
Custom Connector Support
We have also added the ability to include and manage custom connectors in DLP policies. These connectors must also be added to a policy via the PowerShell or Flow Template and will then be manageable in the Admin Portal.
Note: Only Custom Connectors stored in a tenant’s default environment will be displayed with its given icon and display name in the policy editor. All other custom connectors will be displayed with the default connector icon and their internal name.
To perform the administration operations in the admin cmdlets, you’ll need the following:
- A paid Microsoft Flow/PowerApps Plan 2 license or a Microsoft Flow/PowerApps Plan 2 trial license. You can sign-up for a 30-day trial license at https://web.powerapps.com/trial. Trial licenses can be renewed if they’ve expired.
- Office 365 Global Administratoror Azure Active Directory Global Administrator permissions if you need to search through another user’s resources. (Note that Environment Admins only have access to those environments and environment resources for which they have permissions.)
- The latest PowerShell cmdlets.
We are currently implementing HTTP and Custom Connector support for DLP policies as Flow Templates and PowerShell scripts with plans for UI support in the future. This provides administrators with an opt-in choice as to whether they would like to implement this new capability. To add a custom connector, please use this template. To add HTTP support to a DLP policy, please use this template.
Note: Modifying a DLP policy programmatically requires careful attention to avoid DLP policy corruption. As a result, the following precautions should take place:
- Backing up existing policies using the PowerShell cmdlets or the Power platform management connector.
- Running the following PowerShell cmdlets in a non-production tenant. A corrupt policy may impact other DLP policies from being displayed within the PowerApps/Flow admin portal.
To add a custom connector to a policy via the new template, simply enter the policy name, the group to add the connector to, and the connector’s name, id, and type. Run the Flow once and the custom connector will be added to the policy and group specified.
To add the HTTP connectors to an existing policy via the new template, enter the name of the policy you’d like to add them to and run the Flow.
To add support for custom connectors and/or HTTP connectors to a policy using the PowerShell, download and import the latest PowerApps PowerShell scripts from the link above and use the cmdlets ‘New-AdminDlpPolicy’, ‘Set-AdminDlpPolicy’, ‘Add-CustomConnectorToPolicy’, and ‘Remove-CustomConnectorFromPolicy’ to modify a policy. The cmdlet ‘Get-Help <cmdlet name> -detailed’ can be used as a reference.
Note: Use the schema version ‘2018-11-01′ when creating or updating a DLP policy to include HTTP connectors. Adding HTTP support using the template or PowerShell will only affect the specified policy. New policies created via the Admin Center will not contain the HTTP connectors.
Caution: WE DO NOT SUPPORT DOWNGRADING FROM SCHEMA VERSION 2018-11-01. Once HTTP support is added to a policy, it cannot be taken away. Attempting to do so may corrupt that DLP policy. Furthermore, if a DLP policy is updated to support HTTP connectors, current flows using these HTTP capabilities may be shut off.