HTTP and custom connector support for DLP policies
We have made some recent investments into our Data Loss Prevention (DLP) capabilities. More specifically, we are adding support for HTTP and custom connectors to DLP policies that can be created or modified using PowerShell or the given Flow Templates.
Data Loss Prevention policies
Data Loss Prevention policies provide an ability to restrict which connectors can be used within the same app or flow. These policies can be established by either Environment or Tenant Administrators. Each DLP policy includes two data groups: Business and Non-business data. An administrator can choose a default data group to automatically include any new connectors that become available to PowerApps and Microsoft Flow.
HTTP connector support
The HTTP actions and triggers up to this point have not been considered connectors. Due to customer feedback, we decided to go ahead and re-categorize those items so they could be subject to DLP to offer customers a greater level of flexibility and control over their environments.
We have added the option to support these triggers/actions when a policy is created or modified using the PowerShell cmdlets or given Flow Templates. More specifically, you can now manage:
- HTTP (and HTTP + Swagger)
- HTTP Webhook
- HTTP Request
Custom connector support
We have also added the ability to include and manage custom connectors in DLP policies. These connectors must also be added to a policy via the PowerShell or Flow Template and will then be manageable in the Admin Portal.
Only custom connectors stored in a tenant’s default environment will be displayed with its given icon and display name in the policy editor. All other custom connectors will be displayed with the default connector icon and their internal name.
To perform the administration operations in the admin cmdlets, you’ll need the following:
A paid Microsoft Flow/PowerApps Plan 2 license or a Microsoft Flow/PowerApps Plan 2 trial license. You can sign up for a 30-day trial license. You can renew trial licenses if they’ve expired.
Environment Admins only have access to those environments and environment resources for which they have permissions.
The latest PowerShell cmdlets.
We are currently implementing HTTP and custom connector support for DLP policies as Flow Templates and PowerShell scripts with plans for UI support in the future. This provides administrators with an opt-in choice as to whether they would like to implement this new capability. To add a custom connector, please use this template. To add HTTP support to a DLP policy, please use this template.
Modifying a DLP policy programmatically requires careful attention to avoid DLP policy corruption. As a result, the following precautions should take place:
- Backing up existing policies using the PowerShell cmdlets or the Power Platform management connector.
- Running the following PowerShell cmdlets in a non-production tenant. A corrupt policy might impact other DLP policies from being displayed within the PowerApps/Flow admin portal.
To add a custom connector to a policy via the new template, simply enter the policy name, the group to add the connector to, and the connector’s name, ID, and type. Run the flow once and the custom connector will be added to the policy and group specified.
To add the HTTP connectors to an existing policy via the new template, enter the name of the policy you’d like to add them to and run the flow.
To add support for custom connectors and/or HTTP connectors to a policy using the PowerShell, download and import the latest PowerApps PowerShell scripts from the link above and use the cmdlets ‘New-AdminDlpPolicy’, ‘Set-AdminDlpPolicy’, ‘Add-CustomConnectorToPolicy’, and ‘Remove-CustomConnectorFromPolicy’ to modify a policy. The cmdlet ‘Get-Help Use the schema version Important You can't downgrade from schema version
2018-11-01 when creating or updating a DLP policy to include HTTP connectors. Adding HTTP support using the template or PowerShell will only affect the specified policy. New policies created via the Admin Center will not contain the HTTP connectors.
2018-11-01. HTTP support cannot be removed from a policy. If you attempt to remove HTTP support, the DLP policy might be corrupted. Further, if a DLP policy is updated to support HTTP connectors, current flows using these HTTP capabilities might be shut off.
Use the schema version
You can't downgrade from schema version