If you’ve got a brand spanking new tenant, awesome! Get Power Platform DLP implemented before anyone starts using the tools. However, it might be a different story if you’ve already makers building apps & flows without any active policies. You could just get a policy implemented and risk the wrath of your userbase. Or, you can run a Power Platform DLP Impact Assessment first.
An impact assessment will determine what apps or flows could break when a Power Platform DLP policy is implemented. In this article, I’ll run you through the steps to undertake this assessment. This will help with formulating strategy and drafting a communication plan to affected users.
Table of Contents
ToggleCaveats
To undertake a Power Platform DLP impact assessment, you’ll need the following:
1- Admin access to the Power Platform Admin Centre (PPAC). You’ll need this to create a new DLP policy.
2- The CoE Starter Kit installed. If you already have it installed, make sure it’s updated to the latest version. You’ll need to use the DLP Impact Analysis model-driven app, which is in the ‘Centre of Excellence – Core Components’ solution as of September 2023.
Create new policy
The first step is to create a brand new Power Platform DLP policy. It might sound a bit mad, but we’re not going to apply this policy to any environments. We just want to see what would happen if we did. This ’empty’ policy will act as a key mechanism for the impact assessment.
1- In the PPAC, expand Policies and select Data Policies. Then, click on New Policy:
2- Give your policy a name. In my example, I want to see the impact of the default policy that will go against most environments:
Prebuilt connectors
A typical baseline DLP policy is to align all Microsoft ones to Business, then everything else to Blocked. From there, you may wish to add any additional to Business or Non-Business on a case-by-case basis. For the purposes of this example, we’ll just focus on the minimum/general standard. This is in some parts driven by the fact that some connectors can’t be blocked. Visit the connector classification documentation for more info.Â
3-Â Select the Blockable header to expand the filter options. Select No then click Apply:
4- Click to the left of the Name header to select all filtered connectors. Then, click on Move to Business:
5- Return to the list of Non-business connectors and clear the filters. Find and add the following connectors to Business: Cards for Power Apps, Microsoft Forms, Power Apps for Makers, Power Apps for Admins, Power Platform for Admins, Power Automate for Admins, Power Automate Management.
6- Select all of the remaining Non-business connectors. Move them to Blocked:
Baseline policy for prebuilt connectors established. If there are any other line of business connectors you wish to add to Business, do so here. Examples might be SQL Server or Salesforce. To repeat, we are not assigning this policy to any environments, we just want to see what the impact would be.
Custom connectors
In terms of a Power Platform DLP impact assessment, you can probably leave this as-is for now. Click Next to move on. Custom connector usage can be analysed via other tabs in the CoE Starter Kit Power BI dashboard.
Scope
This is the important part to ensure you do not apply the policy to any environments. We simply want to see what would happen if we did apply it.
7- In the Define scope section, select Exclude certain environments. This will add an additional option into the process flow on the left for Environments:
Click Next to continue to Environments.
8- Select all environments then click on Add to policy:
It might seem a bit weird to add environments to the policy. We are actually adding them to the excluded environments though, so all good. You should be left with all environments sitting in the Excluded from policy section and 0 in Available:
9- On the Review screen, click Create policy. After a few seconds you’ll be returned to the Data policies area with your new Power Platform DLP policy showing:
Impact Assessment
Navigate to the environment where your CoE Starter Kit is installed. Find the DLP Impact Analysis app, by clicking on the ellipsis open the app in Play mode:
If it’s your first visit to the app, you may need to allow the connections:
The app works very similarly to creating a policy in PPAC; the options and layout are pretty much the same.
1-Â Select the Impact Assessment policy made earlier. At the top of the screen, Edit policy will appear. Click on that.
🪳🪳 BUG: sometimes you have to select the policy, unselect it, then select it again for the Edit policy option to appear
2- Click Next until you reach the Scope section. When there, select the Add multiple environments option:
Changes aren’t being saved to the policy in PPAC, this is just cached in the app!
3- Select Next to go to the Environments section. Add and/or remove any environments you want to run the impact assessment against. You can run this individually or collectively to get an idea of impact.
Again, nothing is being saved to the Admin Centre at this point. In my scenario, I’ll just add the Default environment:
4- Click Next to go to the Impact Analysis screen.Â
Results may take a while to present themselves. The more environments you’ve selected, the more data it has to cycle through to find impacted apps and flows.
Viewing results
If there are no apps or flows affected by your proposed DLP policy, a message will be shown to that effect. If there are assets affected, they’ll be shown in a table:
View impact
Clicking the View Impact icon next to an entry will present a side pane. This will have information as to what connector(s) are going to be impacted in the selected app or flow:
Email maker
Selecting the Email Maker icon next to an entry will present another side pane. This will have an email body pre-populated, with information about connector conflicts included:
At present, it’s the internal names of the connectors presented here. So an average maker a) may not understand them, or b) see that something like ‘shared_outlook’ is blocked and panic. They’ll need the education piece and context first, ie there’s 2 Outlook connectors and we only want to allow the business-related one.
Also, sending individual emails from this app may be a lengthy process if you have 100’s of apps and/or flows to work through. I’d personally want to keep track of emails sent should you need to chase or audit who’s taken action.
Export to task list
Clicking this option adds the records to the DLP Impact Analysis table in the CoE Core Components solution. They can then be accessed any time through the Non-compliant task list area of the app. There can be a wait time for results to appear in the table.
Export to CSV
The details of the impact analysis will be sent to your email via way of a Power Automate flow in the background. The outputs will show key information such as the creator, environment and what connector(s) will be impacted:
If like most, you have Power Platform activity in your tenant without DLP, this impact assessment is a vital exercise. The results are going to shape how you talk to your makers about any upcoming changes.
It will also help to plan and strategise what your DLP policy or policies will look like. You might need more than one – and that will be the topic of the next article in the series.
If you liked this article and want more epic Power Platform stuff to land in your inbox every week, don’t forget to subscribe 😊
Very useful post. Thanks for sharing.
Is it right to think that this policy is NOT actually blocking anything or preventing anything? it is just an impact assessment of what could potentially break if we enable it?
I’m not very sure what the DLP policy is actually doing, is it preventing any form of exports through the connectors? I think I need a bit more reading on that.
Power Platform DLP simply restricts what connectors can be used in Apps & Flows. The impact assessment, as you say, isn’t blocking anything – it’s there to see what would potentially break if you actioned your policy design
Thank you for the clear and comprehensive details shared. Very useful and informative article along with the others in the Guardrail series.