Updates coming to Power Apps Data Loss Prevention

Starting 4 February 2021, Power Apps will proceed with enforcing Data Loss Prevention (DLP) policies when apps are launched. This enforcement is in addition to the DLP enforcement that occurs when connections are added to apps in Power Apps Studio. This enforcement change was previously communicated in Message Center (MC208818) and turned on and then turned off as unexpected behavior was observed. The unexpected behavior has since been resolved.

What are Data Loss Prevention Policies?
Your organization’s data is likely one of the most important assets you are responsible for safeguarding as an administrator. Power Apps and Power Automate allow rapid build and rollout of high value applications that allow users to measure and act on the data in real time. Users often have good intentions but might overlook the potential for exposure from data leakage to services and audiences that shouldn’t have access to the data. Data Loss Prevention (DLP) policies enforce rules of what connectors can be used together by classifying connectors as either Business Data only or No Business Data allowed. Simply, if you put a connector in the business data only group, it can only be used with other connectors from that group in the same app. Please see this article for further information on DLP.

What specifically is changing?
Typically, as a Power Apps maker you are informed of any DLP policy (as configured by the tenant or environment admin) violations while adding a connection to an app in Power Apps Studio. However, if DLP policies are edited by admins *after* an app is created, then users could continue to use the app even if it didn’t adhere to the latest DLP policy. This upcoming change ensures Power Apps not adhering to the latest published DLP policies no longer run until they comply with the latest DLP policy applicable for the environment.

How will you or your users be impacted?
Apps not adhering to the latest DLP policies in the organization will not launch but will instead be presented with an error message to end-users stating the app isn’t compliant with the new policies.

How you or your users can fix the impacted Power Apps?
Makers should open the app in Power Apps Studio to identify the connections in the application that violate the latest DLP policies. Makers should edit the application to remove these connections to bring the application back into compliance with the latest DLP policies.

If an application’s connections violating the latest DLP cannot be removed due to its use case, then admins and makers can decide to move the application with its existing connection to a different environment where the DLP policies allow the app to run without removing any connections. This may mean admins need to create new environments and DLP policies to accommodate the application’s requirements. Sometimes admins may agree to edit existing DLP policies in their current environment to accommodate an application’s requirement based on the security assessment.

Message ID: MC236224

No comments yet

Leave a Reply

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: