Connector endpoint filtering (preview)
[This article is pre-release documentation and is subject to change.]
Connector endpoint filtering allows admins to govern which specific endpoints makers can connect to when building apps, flows, or chatbots. It is configured within a data loss prevention (DLP) policy, and it is exclusively available for six connectors:
- HTTP
- HTTP with Microsoft Entra ID (AD)
- HTTP Webhook
- SQL Server (includes using SQL Server Connector to access Azure Synapse data warehouse)
- Azure Blob Storage
- SMTP
When a maker tries to connect their app, flow, or chatbot to a blocked endpoint, they will encounter a DLP error message.
Warning
Endpoint filtering rules are not enforced on environment variables, custom inputs, or any endpoint that is dynamically created at run-time. Only static endpoints are evaluated in the app, flow, or chatbot designers. For more information, see Known limitations.
Important
Preview features aren’t meant for production use and may have restricted functionality. These features are available before an official release so that customers can get early access and provide feedback.
Add endpoint filtering rules to your DLP policies
The Endpoint configurable column, on the Prebuilt Connectors page in Data Policies, indicates whether the endpoint filtering capability is supported for the connector.
If the value of the Endpoint configurable column is Yes, you can use this capability by right-clicking and then selecting Configure connector > Connector endpoints.
This opens a side panel where you can specify an ordered list of Allow or Deny URL patterns. The last row in the list will always be a rule for the wildcard character (*
), which applies to all endpoints in that connector. By default, the *
pattern is set up as Allow for new DLP policies, but you can tag this as Allow or Deny.
Add new rules
You can add new rules by selecting Add endpoint. New rules are added to the end of the pattern list as the second-to-the-last rule. This is because *
will always be the last entry in the list. However, you can update the order of the patterns by using the Order drop-down list or selecting Move up or Move down.
After a pattern has been added, you can edit or delete these patterns by selecting a specific row and then selecting Delete.
After saving your connector endpoint filtering rules and the DLP policy in which they are defined, they become instantly enforced on the targeted environments. Below is an example where a maker tried to connect their cloud flow to an HTTP endpoint that is not allowed.
Known limitations
Endpoint filtering rules are not enforced on environment variables, custom inputs, and dynamically bound endpoints during runtime. Only static endpoints known and selected when building an app, flow, or chatbot during design time are enforced. This implies that connector endpoint filtering rules for SQL Server and Azure Blob Storage are not enforced if the connections are authenticated with Microsoft Entra ID. In the two screenshots below, a maker has built a cloud flow that defines the SQL Server and database inside variables, and then uses those variables as input to the connection definition. Therefore, the endpoint filtering rules are not evaluated and the cloud flow can execute successfully.
Some Power Apps published before October 1, 2020, need to be re-published for DLP connector action rules and endpoint rules to be enforced. The following script enables admins and makers to identify apps that must be re-published to respect these new DLP granular control rules:
Add-PowerAppsAccount $GranularDLPDate = Get-Date -Date "2020-10-01 00:00:00Z" ForEach ($app in Get-AdminPowerApp){ $versionAsDate = [datetime]::Parse($app.LastModifiedTime) $olderApp = $versionAsDate -lt $GranularDLPDate $wasBackfilled = $app.Internal.properties.executionRestrictions -ne $null -and $app.Internal.properties.executionRestrictions.dataLossPreventionEvaluationResult -ne $null -and ![string]::IsNullOrEmpty($app.Internal.properties.executionRestrictions.dataLossPreventionEvaluationResult.lastAdvancedBackfillDate) If($($olderApp -and !$wasBackfilled)){ Write-Host "App must be republished to be Granular DLP compliant: " $app.AppName " " $app.Internal.properties.displayName " " $app.Internal.properties.owner.email } Else{ Write-Host "App is already Granular DLP compliant: " $app.AppName } }
Endpoint input formats and examples
Each connector has a different notion of what an endpoint means. Further, some endpoints can be defined in multiple formats. Therefore, endpoints have to be entered in all possible formats to block makers from using them while creating apps and flows. Admins can either enter the full endpoint name or use pattern matching with the wildcard character (*
) when creating an endpoint filtering rule. These rules are entered and presented in an ordered list of endpoint patterns, meaning that they'll be evaluated in ascending order by number. Note that the last rule for any given connector is always *
Allow or *
Deny. Allow is the default, which can be changed to Deny.
The following guidance describes how to enter connector endpoints while creating rules to allow or deny them.
SQL Server
SQL Server connection endpoints have to be listed in <Server_name, database_name>
format. A few things to keep in mind:
The server name can be entered in various formats by makers. Therefore, to truly address an endpoint, it has to be entered in all possible formats. For example, on-premises instances can be in
<machine_name\named_instance, database_name>
or<IP address, custom port, database_name>
format. In this case, you'll have to apply allow or block rules in both formats for an endpoint. For example:- Block
WS12875676\Servername1,MktingDB
- Block
11.22.33.444,1401,MktingDB
- Block
There's no special logic to handle relative addresses such as
localhost
. Therefore, if you block*localhost*
, it will block makers from using any endpoints by usinglocalhost
as part of the SQL Server endpoint. However, it won't stop them from accessing the endpoint by using the absolute address, unless the absolute address has also been blocked by the admin.
The following are examples:
Allow only Azure SQL Server instances:
- Allow
*.database.windows.net*
- Deny
*
- Allow
Allow only a specific IP range: (Note that the IP addresses that aren't allowed can still be entered by the maker in
<machine_name\named_instance>
format.)- Allow
11.22.33*
- Deny
*
- Allow
Dataverse
Dataverse endpoints are represented by the organization ID, such as, 00aa00aa-bb11-cc22-dd33-44ee44ee44ee. Please note that only the regular Dataverse connector is currently in scope for endpoint filtering. Dataverse dynamics and Dataverse current connectors are not in scope. Also, the local instance of Dataverse (also known as the current environment) can never be blocked for use within an environment. This means that within any given environment, makers can always access the Dataverse current environment.
Therefore, a rule that says the following:
- Allow
00aa00aa-bb11-cc22-dd33-44ee44ee44ee
- Deny
*
Actually means:
- Allow
Dataverse current environment
- Allow
00aa00aa-bb11-cc22-dd33-44ee44ee44ee
- Deny
*
Allow Dataverse current environment
is always implicitly the first rule in the Dataverse endpoint filtering list for any given environment.
Azure Blob Storage
Azure Blob Storage endpoints are represented by the Azure storage account name.
SMTP
SMTP endpoints are represented in <SMTP server address, port number>
format.
The following is an example scenario:
- Deny
smtp.gmail.com,587
- Allow
*
HTTP with Microsoft Entra ID, HTTP Webhook, and HTTP connectors
The endpoints for all HTTP connectors are represented by a URL pattern. The Get web resource action of the HTTP with Microsoft Entra connector is out of scope.
The following is an example scenario:
Allow access to only the Azure subscriptions page within https://management.azure.com/
.
- Allow
https://management.azure.com/subscriptions*
- Deny
https://management.azure.com/*
- Deny
*
PowerShell support for endpoint filtering
Configure endpoint filtering rules for a policy
The object that contains endpoint filtering rules for a policy is referred to below as the connector configurations.
The connector configurations object has the following structure:
$ConnectorConfigurations = @{
connectorActionConfigurations = @() # used for connector action rules
endpointConfigurations = @( # array – one entry per
@{
connectorId # string
endpointRules = @( # array – one entry per rule
@{
order # number
endpoint # string
behavior # supported values: Allow/Deny
}
)
}
)
}
Notes
- The last rule for each connector should always be applied to URL
*
, to ensure that all URLs are covered by the rules. - The order property of the rules for each connector should be populated with numbers 1 to N, where N is the number of rules for that connector.
Retrieve existing connector configurations for a DLP policy
Get-PowerAppDlpPolicyConnectorConfigurations
Create connector configurations for a DLP policy
New-PowerAppDlpPolicyConnectorConfigurations
Update connector configurations for a DLP policy
Set-PowerAppDlpPolicyConnectorConfigurations
Example
Goal:
For the SQL Server connector:
- Deny database “testdatabase” of server “myservername.database.windows.net”
- Allow all other databases of server “myservername.database.windows.net”
- Deny all other servers
For the SMTP connector:
- Allow Gmail (server address: smtp.gmail.com, port: 587)
- Deny all other addresses
For the HTTP connector:
- Allow endpoints
https://mywebsite.com/allowedPath1
andhttps://mywebsite.com/allowedPath2
- Deny all other URLs
Note
In the following cmdlet, PolicyName refers to the unique GUID. You can retrieve the DLP GUID by running the Get-DlpPolicy cmdlet.
$ConnectorConfigurations = @{
endpointConfigurations = @(
@{
connectorId = "/providers/Microsoft.PowerApps/apis/shared_sql"
endpointRules = @(
@{
order = 1
endpoint = "myservername.database.windows.net,testdatabase"
behavior = "Deny"
},
@{
order = 2
endpoint = "myservername.database.windows.net,*"
behavior = "Allow"
},
@{
order = 3
endpoint = "*"
behavior = "Deny"
}
)
},
@{
connectorId = "/providers/Microsoft.PowerApps/apis/shared_smtp"
endpointRules = @(
@{
order = 1
endpoint = "smtp.gmail.com,587"
behavior = "Allow"
},
@{
order = 2
endpoint = "*"
behavior = "Deny"
}
)
},
@{
connectorId = "http"
endpointRules = @(
@{
order = 1
endpoint = "https://mywebsite.com/allowedPath1"
behavior = "Allow"
},
@{
order = 2
endpoint = "https://mywebsite.com/allowedPath2"
behavior = "Allow"
},
@{
order = 3
endpoint = "*"
behavior = "Deny"
}
)
}
)
}
New-PowerAppDlpPolicyConnectorConfigurations -TenantId $TenantId -PolicyName $PolicyName -NewDlpPolicyConnectorConfigurations $ConnectorConfigurations