This DLP series is about making sure your makers can be effective without adding risk to themselves or the business. We’ve already looked at how you can allow or block certain connectors so that only the ones you need for your business are available. There’s one more important step to reduce opportunities for data leaks via apps & flows – Power Platform tenant isolation.
In this article you’ll see some examples, learn why it’s important, and how to enable it.
Power Platform tenant isolation allows administrators to govern the movement of business data from one tenant to another. Without this in place, makers can readily duplicate business data to other tenants, such as their personal ones. Much like other Power Platform admin settings, tenant isolation is OFF by default for every tenant.
Let’s take a look at what makers could potentially do without this setting enabled.
I have access to x2 tenants. In each one, I’ve created a SharePoint site, each with their own dedicated list & library:
I’ll attempt to create both an app and a flow that will talk to both tenants in a single transaction. This SharePoint-to-SharePoint relationship will ALWAYS work in your organisation; you cannot block the SharePoint connector in Power Platform DLP policies, meaning it will either be in the business or non-business category. If the connector is being used by itself in either of those categories, it’s fair game.
In tenant 1, I’ll create an imaginatively named canvas app:
My first connection will be to the tenant I am working in:
I’ll connect to the tenant 1 List and present the data in a gallery:
From within the same app I can also use a connection to tenant 2. I can then do the same with the tenant 2 List:
I can now use my app to freely view & move information across these tenants:
A very simple example that can be replicated with other M365 services across tenants, such as Active Directory information or OneDrive for Business files.
Power Automate flows
A Power App still relies on user interaction to physically see and/or move the data around. With Power Automate, flows can be set up to run when a certain event (trigger) occurs. Without Power Platform tenant isolation turned on, I can readily use both tenant connections for SharePoint actions:
I’ve set up a flow to trigger whenever a document in the tenant 1 library is added. The flow will get the content of the file and make a copy in the tenant 2 library. Barely a minute to build and works as expected:
Enable tenant isolation
If you want to avoid makers building such scenarios, you’ll need to flex your administrative muscles. You’ll need to have access to a Global or Power Platform admin-level account to carry out these steps.
Navigate to the Power Platform Admin Centre (PPAC). From the home screen, expand Policies and select Tenant isolation:
You’ll see a toggle that’s set to off. Click to set it to on:
Make sure you then click Save to keep the changes. Power Platform tenant isolation is done. Please note, it may take up to an hour for the change to take effect against existing apps and flows. This change isn’t instantaneous.
With this enabled, you cannot connect to others tenants within apps and flows. Other tenants can’t connect to yours either.
Allowing specific tenants
When switching on Power Platform tenant isolation, you may have noticed the New tenant rule option:
With a tenant rule, you can specify an allow list for cross-tenant transactions for inbound (bringing data from another tenant into yours), or outbound (sending data from your tenant to another). You can also allow both inbound and outbound if you wish.
There are some companies that run across multiple tenants, in which case this is a great level of granular functionality you can add. You’re allowed up to 50 rules and they’re only active when Power Platform tenant isolation is switched on. You can refer to Microsoft’s documentation on inbound & outbound rules for more information.
You may be implementing Power Platform tenant isolation after makers have created cross-tenant connections.
In term of Power Apps, it’s not hugely obvious to users of an app. Remember the app I referenced earlier? I played it after switching tenant isolation on. The information from tenant 2 is no longer visible, but no warning or information as to why:
You get a bit more insight when editing the app, though you can’t scroll through the tooltip. I know this is hinting at tenant isolation but others may not. This is why communication is HUGELY important when making these kind of tenant-wide changes:
As for flows, any affected will fail upon next trigger. If you don’t have any good error handling or not checking regularly, again it may go undetected without prior comms:
Clicking on the failed flow presents an error you can scroll through, which is nice. However, it indicates the account with issue being the one that’s ok (tenant 1 in my example), when in fact we’ve blocked the other connection to tenant 2. It does reference the presence of Power Platform tenant isolation though, and it is working as intended:
Please note, editing the flow doesn’t show any errors until testing the flow.
With Power Platform tenant isolation enabled for tenant 1, no new cross-tenant connections can be made. Sometimes the connection creation is halted and a warning presented. Other times, it looks as though the connection is created but actually appears like this:
I also tried to connect to tenant 1 from tenant 2, in case that bypassed the tenant isolation setting on tenant 1. Computer said no, which is the result we want:
Help is at hand
During the connector review article for this series, I referenced the Power Platform CoE Starter Kit. From an administrative view, I cannot stress enough how important this is to install and keep updated. There’s a lot of utility you can use to help govern, monitor & nurture your Power Platform estate.
Once such tool is the Power Platform Governance dashboard. This is a separate Power BI report file from the main CoE dashboard:
This report has many great pieces of analysis, none more so than highlighting cross-tenant connections:
Right clicking on the tile will allow you to access the Connection details drill through report:
This is an essential resource in your planning for turning on Power Platform tenant isolation. Make sure to use this dashboard to assess potential impact and help formulate your communication strategy to affected users.
You can find more information about the CoE Governance dashboard here.
In my recent experience, it feels as though Power Platform tenant isolation is a feature not many are aware of. I hope this article has given some additional spotlight in why it’s an important step towards an overall Power Platform DLP strategy.
Thanks for reading! If you liked this article and want more epic Power Platform stuff to land in your inbox every week, don’t forget to subscribe 😊