Data Policies (DLP Rules)
Data Policies (DLP Rules)
Data Policies, also known as Data Loss Prevention rules or DLP rules, are an important part of security and governance in Microsoft Power Platform. They help organizations control how data moves between different applications, connectors, services, and environments.
In Power Platform, users can build apps, flows, chatbots, and automation solutions using many different connectors. These connectors can connect to Microsoft services, third-party services, databases, APIs, cloud storage, email systems, and social platforms. Without proper control, business data may accidentally move from a trusted business system to an untrusted or personal service.
Data Policies help prevent this risk by defining which connectors can be used together, which connectors are allowed, and which connectors are blocked. These policies act as security guardrails for makers, administrators, and organizations.
What are Data Policies?
Data Policies are governance rules used in Power Platform to control connector usage across environments. They help administrators define how business data can be used in Power Apps, Power Automate, and other Power Platform services.
A data policy does not directly protect every file or database record by itself. Instead, it controls the connectors that makers can use inside apps and flows. This helps prevent accidental data sharing between trusted and untrusted services.
For example, an organization may allow SharePoint, Dataverse, SQL Server, and Office 365 Outlook to be used for business processes. But it may not want business data to be sent to personal Gmail, Dropbox, Twitter, or other external services. DLP rules help enforce this separation.
What is DLP?
DLP stands for Data Loss Prevention. It is a security approach used to prevent sensitive or important information from being accidentally or intentionally shared with unauthorized systems or users.
In Power Platform, DLP mainly focuses on controlling connector combinations. It helps answer questions such as:
- Which connectors are trusted for business data?
- Which connectors should not be used with business data?
- Which connectors should be completely blocked?
- Which environments should follow specific data rules?
- How can administrators reduce accidental data leakage?
Why Data Policies are Important?
| Importance | Explanation |
|---|---|
| Protects Business Data | Data policies help prevent sensitive business data from being shared through unapproved connectors. |
| Supports Governance | Administrators can define rules for how makers use connectors in Power Platform environments. |
| Reduces Data Leakage Risk | DLP rules reduce the chance of accidentally sending organizational data to personal or external services. |
| Improves Compliance | Organizations can align connector usage with security, privacy, and compliance requirements. |
| Controls Low-Code Development | Makers can still build solutions, but within approved security boundaries. |
| Supports Environment Strategy | Different environments can have different DLP controls based on their purpose. |
Why DLP is Needed in Power Platform?
Power Platform allows users to create apps and flows quickly using low-code tools. This is very useful for productivity, but it also creates governance challenges. A user can create a flow that reads data from one system and sends it to another system. If this is not controlled, important data may move to an unsafe destination.
Example:
- A flow reads employee data from SharePoint.
- The flow sends the data to a personal email account.
- The organization loses control over where that data goes.
DLP rules help prevent such scenarios by restricting which connectors can be used together.
Core Concept: Connectors
Connectors are used in Power Platform to connect apps and flows with different services. A connector acts as a bridge between Power Platform and another system.
Examples of connectors include:
- SharePoint connector
- Dataverse connector
- Office 365 Outlook connector
- SQL Server connector
- OneDrive for Business connector
- Gmail connector
- Dropbox connector
- Twitter connector
- HTTP connector
- Custom connector
Since connectors can move data between services, they are the main focus of DLP rules in Power Platform.
Connector Classification in DLP Policies
In Power Platform DLP policies, connectors are usually classified into three main groups:
| Connector Group | Meaning | Example |
|---|---|---|
| Business | Trusted connectors that are approved for business data. | SharePoint, Dataverse, SQL Server, Office 365 Outlook. |
| Non-Business | Connectors that are not approved to mix with business data. | Some personal, social, or external services. |
| Blocked | Connectors that are not allowed to be used in selected environments. | Unapproved APIs, risky third-party services, or restricted connectors. |
Business Connector Group
The Business connector group contains trusted connectors that are approved for handling business data. These connectors are usually part of the organization’s official business systems.
Example Business connectors:
- Microsoft Dataverse
- SharePoint
- Office 365 Outlook
- SQL Server
- Dynamics 365
- OneDrive for Business
If a Power App or Power Automate flow uses a connector from the Business group, it should only use other connectors from the same Business group within that policy boundary.
Non-Business Connector Group
The Non-Business connector group contains connectors that may be allowed in some situations but should not be mixed with business data connectors in the same app or flow.
Example Non-Business connectors:
- Personal cloud services
- Social media services
- External consumer services
- Non-approved third-party services
These connectors may be useful for personal productivity or non-sensitive scenarios, but they should not be used together with business connectors if the DLP policy restricts that combination.
Blocked Connector Group
The Blocked connector group contains connectors that are completely disallowed by the data policy. Makers cannot use blocked connectors in apps or flows within the environments where the policy applies.
Connectors may be blocked when:
- They are not approved by the organization.
- They create a high risk of data exposure.
- They connect to unknown or unmanaged services.
- They allow data transfer outside approved systems.
- They are not required for business purposes.
How DLP Rules Work
DLP rules work by preventing connectors from different groups from being used together in the same app or flow. This helps prevent data from moving between trusted and untrusted services.
| Scenario | DLP Result |
|---|---|
| Business connector used with another Business connector | Allowed, if both connectors are in the same Business group. |
| Non-Business connector used with another Non-Business connector | Allowed, if both connectors are in the same Non-Business group. |
| Business connector used with Non-Business connector | Blocked by policy because data may move between trusted and untrusted services. |
| Blocked connector used in app or flow | Not allowed in the environment where the policy applies. |
Simple Example of DLP Policy
Suppose an organization creates the following DLP policy:
| Group | Connectors |
|---|---|
| Business | SharePoint, Dataverse, Office 365 Outlook |
| Non-Business | Gmail, Dropbox, Twitter |
| Blocked | Unapproved custom APIs |
In this case:
- A flow using SharePoint and Office 365 Outlook may be allowed.
- A flow using Gmail and Dropbox may be allowed if both are Non-Business.
- A flow using SharePoint and Gmail may be blocked.
- A flow using a blocked custom API will not be allowed.
Scope of Data Policies
Data policies can be applied at different scopes depending on the governance requirement.
| Policy Scope | Description | Example Usage |
|---|---|---|
| Tenant-Level Policy | Applies across multiple or all environments in the tenant. | Apply common DLP rules for the whole organization. |
| Environment-Level Policy | Applies to a specific Power Platform environment. | Apply stricter rules to production or default environments. |
| Selected Environment Policy | Applies only to selected environments. | Apply special rules to HR, Finance, or Sales environments. |
Tenant-Level DLP Policies
Tenant-level policies are used when administrators want to define common connector rules across the organization. These policies can include or exclude specific environments.
Tenant-level policies are useful when:
- The organization wants a common governance baseline.
- All environments should follow minimum security rules.
- Administrators want consistent connector classification.
- High-risk connectors should be blocked across the tenant.
Environment-Level DLP Policies
Environment-level policies are used when administrators want to apply rules to a specific environment. This is useful because different environments may have different security requirements.
Example:
- A Development environment may allow more connectors for testing.
- A Production environment may allow only approved business connectors.
- A Default environment may have stricter rules to reduce accidental data leakage.
DLP Policy Creation Process
A typical DLP policy creation process includes the following steps:
- Identify the business requirement.
- List the connectors required by makers and business users.
- Classify connectors into Business, Non-Business, and Blocked groups.
- Define the policy scope such as tenant-level or environment-level.
- Select the environments where the policy will apply.
- Review the policy configuration.
- Save and apply the policy.
- Monitor apps and flows for policy impact.
Who Manages DLP Policies?
DLP policies are usually managed by administrators or governance teams. The exact role depends on the organization’s Power Platform administration model.
| Role | Responsibility |
|---|---|
| Power Platform Administrator | Creates and manages tenant-level policies and governance settings. |
| Environment Administrator | Manages environment-level controls and supports makers in that environment. |
| Security Team | Defines data protection and risk management requirements. |
| Compliance Team | Ensures policies align with regulatory and organizational requirements. |
| Makers | Build apps and flows within the boundaries of approved DLP policies. |
Real-Life Scenario: Protecting Finance Data
A finance team stores invoice and payment records in SharePoint and Dataverse. A maker creates a flow to send invoice summaries by email. This is acceptable if the email connector is an approved business connector.
However, if the maker tries to send the same finance data to a personal email service or external storage service, it may create a data leakage risk. A DLP policy can prevent this by ensuring SharePoint and Dataverse cannot be used together with unapproved connectors.
Possible DLP Configuration
- SharePoint: Business
- Dataverse: Business
- Office 365 Outlook: Business
- Gmail: Non-Business or Blocked
- Dropbox: Non-Business or Blocked
Real-Life Scenario: HR Employee Data Protection
HR data often contains sensitive employee information. If a Power App collects employee onboarding details, the organization may want this data to stay only inside approved business systems.
A DLP policy can allow HR apps to use Dataverse, SharePoint, and Office 365 Outlook, but prevent the same app from sending employee data to personal storage or social media connectors.
Benefits
- Protects employee information.
- Reduces accidental sharing of personal data.
- Supports privacy and compliance requirements.
- Provides clear rules for makers building HR solutions.
Real-Life Scenario: Blocking Unapproved APIs
Some organizations allow custom connectors for approved APIs. However, unapproved APIs may create security risks because they can send data to unknown external systems.
Administrators can use DLP policies to block unapproved custom connectors or restrict them to special environments where they are reviewed and controlled.
DLP in Power Apps
In Power Apps, DLP policies affect the connectors used inside canvas apps and model-driven app-related processes. If a maker tries to combine connectors from restricted groups, the app may not be allowed to use that combination.
Example:
- A canvas app uses SharePoint to read employee records.
- The maker tries to add a consumer email connector.
- If SharePoint is Business and the consumer email connector is Non-Business, the policy may block the combination.
DLP in Power Automate
In Power Automate, DLP policies affect cloud flows and connector combinations. If a flow uses connectors that are not allowed together, the flow may fail policy validation or may not run as expected.
Example:
- A flow reads customer data from Dataverse.
- The flow attempts to save the data into Dropbox.
- If Dataverse is Business and Dropbox is Non-Business or Blocked, the flow can be restricted by DLP.
DLP in Copilot Studio
Copilot Studio can use connectors, actions, and data sources to support chatbot or agent scenarios. DLP policies help administrators control which connectors and services can be used in these intelligent conversational solutions.
This is important because chatbots may access business data and trigger workflows. DLP rules help ensure that business information is not sent to unapproved systems through chatbot actions.
Common DLP Policy Design Patterns
| Design Pattern | Description | Example |
|---|---|---|
| Strict Default Environment Policy | Apply restrictive rules to the default environment where many users may create apps and flows. | Allow only basic approved Microsoft business connectors. |
| Business-Critical Environment Policy | Use strong rules for environments that contain sensitive business data. | Finance or HR production environments. |
| Development Environment Policy | Allow selected extra connectors for testing while still blocking risky connectors. | Developer sandbox or proof-of-concept environment. |
| Department-Specific Policy | Create policies based on department requirements. | Sales, HR, Finance, Operations. |
| Blocked Connector Policy | Block connectors that are not approved by security or compliance teams. | Unapproved third-party storage or unknown APIs. |
Example: DLP Policy for Finance Environment
| Connector | DLP Group | Reason |
|---|---|---|
| Dataverse | Business | Stores structured finance application data. |
| SharePoint | Business | Stores finance documents and approval records. |
| Office 365 Outlook | Business | Used for business notifications and approval emails. |
| SQL Server | Business | Used for approved business database access. |
| Gmail | Blocked | Personal email service should not handle finance data. |
| Dropbox | Blocked | Unapproved external storage may expose finance documents. |
| Blocked | Social media connector is not required for finance processes. |
Common DLP Issues
Makers may face errors when a connector is blocked or when connectors from different DLP groups are used together. These issues usually happen because the app or flow violates the active policy.
| Issue | Possible Reason | Suggested Action |
|---|---|---|
| Connector is blocked | The connector belongs to the Blocked group. | Use an approved connector or contact the administrator. |
| Flow cannot be saved | The flow combines Business and Non-Business connectors. | Review connector groups and adjust the design. |
| App stops working after policy change | A new policy may have restricted an existing connector combination. | Review policy impact before applying changes. |
| Custom connector unavailable | The custom connector may be blocked or restricted. | Request approval for the connector or use a dedicated environment. |
| Business process fails unexpectedly | DLP rule may block a required connector action. | Check policy configuration and flow dependencies. |
Impact of DLP Policy Changes
Changing DLP policies can affect existing apps and flows. If a connector is moved from Business to Non-Business or Blocked, existing solutions may stop working or may require redesign.
Before making policy changes, administrators should:
- Identify apps and flows using the affected connectors.
- Review business-critical dependencies.
- Communicate planned changes to makers and owners.
- Test policy changes in non-production environments where possible.
- Prepare support guidance for impacted users.
DLP and Environment Strategy
DLP policies should be planned together with environment strategy. Different environments serve different purposes, so they may need different levels of restriction.
| Environment Type | Recommended DLP Approach |
|---|---|
| Default Environment | Use stricter rules because many users may have access to create apps and flows. |
| Development Environment | Allow selected connectors for building and testing, but block risky services. |
| Test Environment | Use rules close to production to validate real behavior before release. |
| Production Environment | Use approved business connectors only and block unnecessary connectors. |
| Sandbox Environment | Allow controlled experimentation with strong monitoring and limited access. |
Advantages of Data Policies
- Helps prevent accidental data exposure.
- Supports secure low-code development.
- Controls connector usage across environments.
- Improves governance of apps and flows.
- Helps align Power Platform usage with organizational policies.
- Reduces risks from unapproved third-party services.
- Provides administrators with centralized control over connector classification.
Limitations of DLP Policies
- DLP policies mainly control connectors, not every data record directly.
- They do not replace proper security roles and permissions.
- They do not automatically classify all sensitive data content.
- Incorrect policy design may block legitimate business processes.
- Policy changes may affect existing apps and flows.
- Some connectors may have special restrictions or limitations.
- DLP should be used together with environment management, access control, monitoring, and compliance processes.
DLP Policies vs Security Roles
| Point | DLP Policies | Security Roles |
|---|---|---|
| Main Purpose | Control which connectors can be used together. | Control what users can access or perform in a system. |
| Focus Area | Connector usage and data movement boundaries. | User permissions, record access, and operations. |
| Example | Prevent SharePoint data from being sent to Gmail. | Allow a user to read but not delete Dataverse records. |
| Used By | Power Platform administrators and governance teams. | System administrators and environment administrators. |
DLP Policies vs Compliance Policies
| Point | DLP Policies | Compliance Policies |
|---|---|---|
| Purpose | Prevent risky connector combinations and reduce data leakage risk. | Ensure the organization follows legal, regulatory, and internal standards. |
| Scope | Power Platform connector usage. | Broader organizational security, privacy, retention, and audit requirements. |
| Example | Block use of consumer storage connectors in production. | Ensure customer data is retained and protected according to policy. |
| Relationship | DLP supports compliance by enforcing technical controls. | Compliance defines the larger rules and obligations. |
Best Practices for Data Policies
| Best Practice | Explanation |
|---|---|
| Start with a clear connector strategy | Decide which connectors are trusted, restricted, and blocked before creating policies. |
| Protect the default environment | Apply stricter policies because many users may create apps and flows there. |
| Use separate environments | Create dedicated environments for development, testing, production, and special business needs. |
| Classify connectors carefully | Place connectors in Business, Non-Business, or Blocked groups based on risk and business purpose. |
| Review before changing policies | Policy changes can affect existing apps and flows, so review impact before applying changes. |
| Communicate with makers | Explain why connectors are restricted and provide approved alternatives. |
| Monitor policy violations | Review errors, blocked connectors, and user feedback to improve governance. |
| Use least privilege principles | Allow only the connectors needed for the business process. |
| Document policy decisions | Maintain documentation explaining connector classification and policy scope. |
Example DLP Governance Checklist
- Have all environments been identified?
- Is the default environment protected with appropriate restrictions?
- Are business connectors clearly defined?
- Are risky connectors blocked or restricted?
- Are custom connectors reviewed before approval?
- Are production environments using approved connector groups?
- Are makers informed about DLP policy rules?
- Are policy changes tested before rollout?
- Are exceptions documented and approved?
- Are DLP policies reviewed regularly?
Practical Example: Customer Support Flow with DLP
A customer support team creates a flow to collect support requests from Microsoft Forms, store them in SharePoint, and notify the support team through Microsoft Teams.
Approved connectors:
- Microsoft Forms
- SharePoint
- Microsoft Teams
- Office 365 Outlook
These connectors can be placed in the Business group because they are approved for internal business processing.
Restricted connectors:
- Personal Gmail
- External file sharing services
- Unapproved social media connectors
These connectors can be placed in Non-Business or Blocked groups depending on organizational policy.
Simple Practical Project Idea
Project Name: Power Platform DLP Policy Design for a Company
Project Description: Design a sample DLP policy for a company that uses Power Apps and Power Automate for HR, Finance, and Customer Support processes.
Main Requirements:
- Create separate connector groups for Business, Non-Business, and Blocked connectors.
- Classify SharePoint, Dataverse, Office 365 Outlook, Teams, and SQL Server as Business connectors.
- Classify personal or social connectors as Non-Business or Blocked.
- Apply stricter rules for production and default environments.
- Document why each connector is allowed or blocked.
- Create a maker guidance document explaining approved connector usage.
Expected Outcome:
- Better control over data movement.
- Reduced risk of accidental data leakage.
- Clear governance for makers and administrators.
- Improved security posture for Power Platform solutions.
Important Points to Remember
- Data Policies are also known as DLP rules in Power Platform.
- DLP rules control connector usage and connector combinations.
- Connectors are commonly grouped into Business, Non-Business, and Blocked groups.
- Business connectors should not be mixed with Non-Business connectors when restricted by policy.
- Blocked connectors cannot be used where the policy applies.
- DLP policies can be applied at tenant level or environment level.
- DLP does not replace security roles, permissions, monitoring, or compliance controls.
- Policy changes should be reviewed carefully because they can affect existing apps and flows.
Conclusion
Data Policies, or DLP Rules, are one of the most important governance controls in Microsoft Power Platform. They help organizations define safe boundaries for data movement by controlling which connectors can be used together and which connectors should be blocked.
As Power Platform allows users to rapidly build apps and automation solutions, DLP policies help balance innovation with security. They allow makers to create business solutions while reducing the risk of accidental data exposure.
A strong DLP strategy should include connector classification, environment-level planning, clear governance rules, communication with makers, monitoring, and regular policy review. When implemented properly, DLP rules help organizations build secure, compliant, and well-governed Power Platform solutions.