Administer flows

Learn about using environments and data protection policies to manage data sources and flows.

You will learn how to...

Use environments to manage flows

What is an environment:

An environment is a virtual space used to store, manage and share apps, flows, and business data in the Common Data Service. Environments are geolocated so all apps and data stored within an environment's database are geolocated as well.

Terms you should get familiar with

Term Description
Admin center The admin center is a Web portal for managing all your environments and data loss prevention policies.
Common Data Service The Common Data Service allows you to add data storage and modeling capabilities to your apps.
Environment roles The two environment roles are Environment Admin and Environment Maker.
User roles The two default user roles are Organization User and Database Owner. You can add roles, and associate permissions with those roles.

Purposes for an environment

You can use environments to:

  • Separate apps, flows and business data based on different roles, security requirements or users.
  • Separate apps, flows and business data based on the location of your teams or departments.
  • Manage test and production environments.

How to use environments

Environments can serve several different purposes, depending on your organizational needs, some examples are:

  • You can choose to build all your apps and flows in a single environment.
  • You could choose to create an environment for different types of apps and flows. For example, you could create an environment for test and another environment for production.
  • You may also choose to create environments based on your organizational structure or even based on geographic location of your teams or departments. For example, if you have teams in Australia, Mexico and Europe, you could create an environment for each of these locations and manage them independently.

Note: Environments are not visible to users so they don't need to be concerned with which environments they are in. Environments are a tool for admins to categorize, manage and share organizational apps and flows.

What are roles?

A person with access to an environment must be be assigned either the Environment Admin or the Environment Maker role. Environment admins can perform all administrative tasks on an environment. An environment maker can create resources in an existing environment. An individual can have both roles simultaneously.

Note: All users will have access to a default environment when each user is given access to Microsoft Flow. Users can have access to multiple environments.

Create an environment

You create environments from the Microsoft Flow admin center with these steps:

  1. Name your environment.
  2. Select a region where your environment will be hosted.
  3. Optionally you can decide to create a database for your environment. You can create a database after you've created an environment, if you desire.
  4. Optionally select who will have access to the database. You can either restrict access or give everyone access to the database.

Add users to an environment

After you create an environment, you can add users to either the Environment Admin role or the Environment Maker role. As with all other administrative tasks, you do this from the admin center.

After you've created the environment and added users, you may also want to create a data loss prevention (DLP) policy to help manage the use of your business data. We'll cover that in the next topic.

Use data loss prevention policies

With an expanding list of services available to build workflows with Microsoft Flow, you may need to safeguard sensitive or critical business data stored in enterprise services such as SharePoint or Salesforce. You may find that your organization needs to create a policy which ensures that sensitive business data isn't published to consumer services like Twitter and Facebook. With Microsoft Flow, you can easily create data loss prevention (DLP) policies to tightly control which consumer services your business data can be shared with when your users create flows.

Terms you should get familiar with

Term Description
DLP This is an abbreviation for data loss prevention. You'll create a DLP policy to manage the sharing of data between services.
Services Services are applications such as Salesforce, SharePoint and Twitter. These services, and lots more, are used to create flows.
Data group A logical grouping of services. You put services that are allowed to share data in the same data group. There are two data groups: business data only and the no business data allowed data group.
Environment A DLP is applied to an environment. An environment contains users.
Users Users are members of your organization to whom a DLP policy will apply, based on their membership in an environment.
Flow A flow is a workflow app that uses any combination of the available services.

All about how DLP policies work

A DLP policy is simply a named rule that places each service into one of two mutually exclusive data groups. This rule is then applied to an environment. An environment is a logical grouping of users. Users are not allowed to create flows that share data between the services you placed in the different data groups. In other words, your users can only create flows that share data between the services within a single data group. No cross-data-group sharing is allowed.

Data group name Description of data group
Business data only All services in this group can share data among themselves. They cannot share data with the no business data allowed data group.
No Business data allowed All services in this group can share data among themselves. They cannot share data with the business data only data group.

Note: Adding a service to one data group automatically removes it from the other data group. For example, if Twitter is currently located in the business data only data group, and you don't want to allow business data to be shared with Twitter, simply add the Twitter service to the no business data allowed data group. This will remove Twitter from the business data only data group.

Here's what you need to create a DLP

  • Access to the Microsoft Flow admin center
  • An account in the Environment Admin role
  • An environment with users assigned to it

Create a DLP policy

Here's a quick overview of how to create a DLP policy:

  1. Give the policy a name
  2. Select the environment to which the policy will apply
  3. Add the services to one of the two data groups. Remember, only services located in a specific group can share data so any flow that's created to share data between services located in the two data groups will be automatically blocked when the maker saves it.

There is also a more detailed walk-through on DLP policies available.


  • If you were to create a policy that restricts flows to share business data only among SharePoint, Office 365 users, Office 365 Outlook, OneDrive for Business, Dynamics 365, SQL Server and Salesforce, it would look like this:
  • Here's what it would look like if you decided to create a policy to not allow any members of a specific environment to create a flow that shares SharePoint data. Notice that SharePoint is the only service in the business data only data group:
    business data only


You've completed the Administer flows section of Microsoft Flow Guided Learning.

You learned how to...


  • Deon Herbert
  • Michael Blythe