HTTP and custom connector support for DLP policies

We have made some recent investments into our Data Loss Prevention (DLP) capabilities. More specifically, we are adding support for HTTP and custom connectors to DLP policies that can be created or modified using PowerShell or the given Flow Templates.

Data Loss Prevention policies

Data Loss Prevention policies provide an ability to restrict which connectors can be used within the same app or flow. These policies can be established by either Environment or Tenant Administrators. Each DLP policy includes two data groups: Business and Non-business data. An administrator can choose a default data group to automatically include any new connectors that become available to PowerApps and Microsoft Flow.

DLP policies

HTTP connector support

The HTTP actions and triggers up to this point have not been considered connectors. Due to customer feedback, we decided to go ahead and re-categorize those items so they could be subject to DLP to offer customers a greater level of flexibility and control over their environments.

We have added the option to support these triggers/actions when a policy is created or modified using the PowerShell cmdlets or given Flow Templates. More specifically, you can now manage:

  • HTTP (and HTTP + Swagger)
  • HTTP Webhook
  • HTTP Request

HTTP actions

Custom connector support

We have also added the ability to include and manage custom connectors in DLP policies. These connectors must also be added to a policy via the PowerShell or Flow Template and will then be manageable in the Admin Portal.

Note

Only custom connectors stored in a tenant’s default environment will be displayed with its given icon and display name in the policy editor. All other custom connectors will be displayed with the default connector icon and their internal name.

Prerequisites

To perform the administration operations in the admin cmdlets, you’ll need the following:

Implementation

We are currently implementing HTTP and custom connector support for DLP policies as Flow Templates and PowerShell scripts with plans for UI support in the future. This provides administrators with an opt-in choice as to whether they would like to implement this new capability. To add a custom connector, please use this template. To add HTTP support to a DLP policy, please use this template.

Note

Modifying a DLP policy programmatically requires careful attention to avoid DLP policy corruption. As a result, the following precautions should take place:

  • Backing up existing policies using the PowerShell cmdlets or the Power Platform management connector.
  • Running the following PowerShell cmdlets in a non-production tenant. A corrupt policy might impact other DLP policies from being displayed within the PowerApps/Flow admin portal.

Templates

To add a custom connector to a policy via the new template, simply enter the policy name, the group to add the connector to, and the connector’s name, ID, and type. Run the flow once and the custom connector will be added to the policy and group specified.

To add the HTTP connectors to an existing policy via the new template, enter the name of the policy you’d like to add them to and run the flow.

PowerShell

To add support for custom connectors and/or HTTP connectors to a policy using the PowerShell, download and import the latest PowerApps PowerShell scripts from the link above and use the cmdlets ‘New-AdminDlpPolicy’, ‘Set-AdminDlpPolicy’, ‘Add-CustomConnectorToPolicy’, and ‘Remove-CustomConnectorFromPolicy’ to modify a policy. The cmdlet ‘Get-Help -detailed’ can be used as a reference.

Use the schema version 2018-11-01 when creating or updating a DLP policy to include HTTP connectors. Adding HTTP support using the template or PowerShell will only affect the specified policy. New policies created via the Admin Center will not contain the HTTP connectors.

Important

You can't downgrade from schema version 2018-11-01. HTTP support cannot be removed from a policy. If you attempt to remove HTTP support, the DLP policy might be corrupted. Further, if a DLP policy is updated to support HTTP connectors, current flows using these HTTP capabilities might be shut off.