Use DLP data groups to protect important data

  • 3 minutes

Connectors allow Microsoft Power Platform to send and receive data with other services such as Microsoft 365, Dataverse, Azure, Dropbox, and more. To control the flow of sensitive information, you can create rules to permit or prevent connectors from communicating with each other. DLP Policies allow you to assign connectors to one of three data groups to accomplish this task:

Business - Connectors that are processing business-related data.

Non-business (default) - Connectors that don't support valid business use cases.

Blocked - Connectors that are not to be used.

When a DLP policy is created, Microsoft assigns all connectors to the Non-business data group which is the Default DLP data group.

Screenshot of Assign connectors page with the Non-Business tab selected.

Managing the default DLP data group

Whenever a new connector is made available, it will automatically be assigned to the default data group. New connectors can come from a variety of sources, including Microsoft, third-party connector providers, and custom connectors from inside your organization. An administrator can change the default data group by selecting the Set default group button and choosing the data group that they want to designate as the default.

Administrators need to understand the behavior of the default data group to avoid undesirable data leakage. For example, when Microsoft introduces a new Office 365 connector, that new connector is automatically assigned to the default data group (Non-Business). Because the connector is in the Non-Business default data group, users can build a flow that includes business data from the new Office 365 connector and send that data to consumer-based services like email and file sharing. To prevent users from sending business data from Office 365 systems to consumer-based services like email and file sharing, the administrator can place the Office 365 connector in the Business default data group.

Receive notifications for new connectors

Administrators can be alerted about recently published connectors using the List New Microsoft Power Automate Connectors flow template. The flow sends out an email when new connectors are added, allowing the administrator to update the DLP policies.

The List New Microsoft Power Automate Connectors flow template.

Custom connectors and data groups

Custom connectors pose a potential challenge for administrators because they do not appear in the DLP policy data groups. Just like Microsoft and third-party connectors, custom connectors are placed in the default data group (Non-Business). To assign a different data group, custom connectors require PowerShell or Microsoft Power Platform Management connectors. The exercise at the end of the module demonstrates how to apply a DLP policy to a custom connector.