The Power Platform Governance functionalities are slowly but surely ramping up to something satisfying for Admins, CoEs and Governance teams. One of the key components from that range of functionalities is the DLP Policies. Even though the Power Platform Admin Center allows admins to configure DLP Policies, a few features are either missing or restricted to the premium Managed Environments… Hence why I created the DLP Policy Toolbox that I want to share in this post!

• What are DLP Policies?
• What is missing from the Admin Center to manage DLP Policies?
• The DLP Policy Toolbox allows admins to duplicate and identify DLP Policies
• Duplicating a DLP Policy with the DLP Duplicator
• Finding the DLP Policies applying to a specific environment with the DLP Finder
• Additional comments regarding the DLP Policy Toolbox

What are DLP Policies?

If you have clicked on this post, chances are that you already know what DLP Policies are. In any case and in a nutshell:

• Connectors are the components allowing Makers to create solutions that integrate with other services. For example, Makers can use the Outlook connector to easily send emails from a Flow or an App.
• There are more than 1000 connectors available on the platform today.
• DLP Policies allow admins to define which connectors they want to enable or block in a specific Environment. They can do this by classifying the connectors in 3 categories: Business, Non-business, and Blocked.
• Let’s consider an environment where only one DLP Policy applies which contains several Apps and Flows. Within a same App or Flow, only non-blocked connectors from the same category can be used. Blocked connectors can never be used.
• If a connector is enabled in an environment, it can be used by any other Makers who have permissions to create Apps and Flows on that environment.

A lot more information is available on the official Microsoft documentation.

What is missing from the Admin Center to manage DLP Policies?

Before presenting the DLP Policy Toolbox App, let’s start by asking ourselves what is missing in the Power Platform Admin Center. So far, I have experienced two main issues…

The manual DLP Policy creation process can take a long time

Many organizations have a governance strategy which involves restricting connectors based on the associated level of risk. Not all the connectors are available on all environments, which makes sense. Once in a while, Admins need to create a new DLP Policy. For each connector, the Admin would need to define which category is appropriate. This process can take forever with the 1000+ connectors available today.

And what if an Admin wants to re-use a same DLP Policy, but only change the classification of a few connectors for another environment? Well, they will have to recreate it from scratch and carefully make sure to classify each connector appropriately… Until this post 😁

It is not always easy to identify which DLP Policy applies to a specific environment

Each DLP Policy has a specific scope:

• Some apply to a list of environments,
• Some apply to all environments,
• Some apply to all environments, except a list of excluded environments.

From a technical point of view, it is possible to apply several DLP Policies to a same environment. However, this is making things a lot more complex, and neither myself nor Microsoft recommend it.

So, let’s now imagine that an organization has many Environments and many DLP Policies in place. A Maker has an issue with a blocked connector and contact the Admin to help them. What is the first thing that the Admin might want to do? Check which DLP Policy applies to this environment. How do they do that? Well… Today there is not an immediate solution to this. Oh wait! Since fairly recently, this is a functionality of Managed Environments. This is a premium type of environments where all Apps and Flows are premium. And what if the organization is not using such environments because of costs? Today they do not have an immediate answer. Until this post 😁

The DLP Policy Toolbox allows admins to duplicate and identify DLP Policies

Facing these two challenges on a regular basis, I decided to create an App which would make it a lot easier. The solution allows the user to:

• Duplicate an existing DLP Policy in a few clicks
• Identify all the policies that apply to a specific environment

Here is what the DLP Policy Toolbox solution contains:

• 1 Power Apps Canvas App
• 3 Automate Cloud flows triggered from the App,
• 1 Connection reference for the Power Platform for Admins connector.

The App does not store any data anywhere and will only work for a user with a Tenant Administrator role. It does not have any dependency with the CoE Starter Kit. It does not require any premium license whatsoever.

The DLP Policy toolbox is available from my GitHub repository here. The following sections describe how to use it.

Duplicating a DLP Policy with the DLP Duplicator

The Duplicator Landing Screen

Opening the Canvas App will land on the Duplicator screen. It allows to easily duplicate a DLP Policy. Here is what the Duplicator landing screen looks like:

1. The gallery on the left-hand side shows the list of the existing Tenant DLP Policies. It is gathered with the cloud flow “Get All Tenant Dlps”. The policy to be duplicated has to be selected in that gallery.
2. Several tabs are available on that screen. The “Properties” tab shows the general configuration of the policy; the “Connectors” tab shows the count of connectors for each group; the “Duplicate”, “Delete” and “Open” tabs respectively allow to duplicate, delete, or open the policy. The “DLP Finder” tab switches to the DLP Finder screen which allows to find the polices applied to any given environment.
3. The General Settings section shows the key parameters of the selected DLP Policy from the left-hand gallery. It presents the name, created date, the default group configured for the connectors (any new connectors will be classified with that default group) and the scope.
4. The section at the bottom shows the Environment(s) added to the selected policy. Based on the scope of the selected policy, these are either environments included or excluded from the policy. This information is gathered with the cloud flow “Get Environments Included in DLP”. If there are more than 50 environments, the flow will only return the count of environments to maintain sufficient performance.

The Duplicate tab

When opening the “Duplicate” tab, you will have to define a name for the new DLP Policy as well as to select an Environment for which the new policy will apply if it is not a policy applying to all environments. You will then be able to click “Duplicate DLP Policy”. This will create the new policy thanks to the Power Platform for Admins connector.

Please note the below:

• The custom connectors endpoints configuration will not be replicated and will have to be manually configured from the admin center,
• Any granular action control will not be replicated neither and will also have to be manually configured,
• The duplication preserves the default connector group and other parameters.

Finding the DLP Policies applying to a specific environment with the DLP Finder

When opening the DLP Finder tab, another screen with a similar design opens. The screen lists the Environments in the tenant on the left-hand side and selecting one will list all the DLP Policies applying to that environment on the main area of the screen:

A few comments:

• The related DLP Policies are gathered with the cloud flow called “Get DLPs applied to Environment”
• Only Tenant DLP Policies are in scope
• The Flow proceeds by browsing through all existing Tenant DLP Policies and show it in the list if:
  • The DLP Policy applies to all environments, or…
  • The DLP Policy applies to all environments except exluded environments, and the selected environment is not in the exclusion list, or…
  • The DLP Policy applies to all included environments, and the selected environment is in the inclusion list
• The button on the right-hand side of the main area gallery opens the DLP Policy in the admin center

Additional comments regarding the DLP Policy Toolbox

I initially created the solution solely with the Canvas App. Indeed, the Power Platform for Admins connector in Power Apps is enough in terms of functionalities. However, I found that for a tenant with a lot of Environments and policies, this approach was not delivering enough performance. Even though I am using cloud flows to try to get better performance, the App might still be slow in some situations, especially for DLP Policies applying to many environments.

I would sincerely hope that such functionalities were to see the light from the Admin Center directly, and not only for managed environments… In the meantime, if you have any feedback or ideas to make this better, please get in touch!