WorkshopPLUS – Power Platform for Administrators:

Data Loss Prevention Policies

Microsoft
Services
Conditions and Terms of Use
Microsoft Confidential
This training package is proprietary and confidential, and is intended only for uses described in the training materials. Content and software is
provided to you under a Non-Disclosure Agreement and cannot be distributed. Copying or disclosing all or any portion of the content and/or
software included in such packages is strictly prohibited.
The contents of this package are for informational and training purposes only and are provided "as is" without warranty of any kind, whether
express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-
infringement.
Training package content, including URLs and other Internet website references, is subject to change without notice. Because Microsoft must
respond to changing market conditions, the content should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information presented after the date of publication. Unless otherwise noted, the companies,
organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association
with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

Copyright and Trademarks

© 2016 Microsoft Corporation. All rights reserved.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information, see Use of Microsoft Copyrighted Content at
https://www.microsoft.com/en-us/legal/intellectualproperty/permissions/default.aspx
Microsoft®, Internet Explorer®, Outlook®, SkyDrive®, Windows Vista®, Zune®, Xbox 360®, DirectX®, Windows Server® and Windows® are
either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other Microsoft products
mentioned herein may be either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. All
other trademarks are property of their respective owners.
Introduction
In this lesson, you will learn the following:

• Understand Data Loss Prevention Policies.

• DLP Policies Scope.
• How to Create a DLP Policy.
• How to Manage a DLP Policy.
 Understand
Data Loss Prevention
Policies
What is Data Loss Prevention Policy?
Data Loss Prevention (DLP) policies help protecting organizational data from unintended exposure.

They can act as guardrails to help prevent users from unintentionally exposing the data.

DLP policies can be scoped at the environment and tenant level offering flexibility to craft policies that are sensible and do not
block productivity.

DLP policies enforce rules of what connectors can be used together by classifying connectors as either Business, Non-Business
and Blocked.

Simply, if you put a connector in the business data only group, it can only be used with other connectors from that group in the
same app/flow.

Block third-party connectors where they can’t be used where a policy is applied to the environment level.
 View Policies at
Your Tenant
• DLP policies are still managed from
Power Platform admin center
https://admin.powerplatform.micr
osoft.com/dlp
DLP Policies Scopes
 There are three scope types in Power Platform DLP policies:
Apply to ALL Apply to ONLY selected Apply to ALL
environments environments environments EXCEPT

DLP Scopes If you are only an environment administrator, you will see a selection to
choose one of your environments to associate with the DLP policy.

If you are a tenant administrator, you will have the ability to apply to

Apply to ALL Apply to ONLY selected Apply to ALL

environments environments environments EXCEPT
 DLP Policies Security Considerations

• Environment only admins do have the ability to view policies created by

tenant admins to understand what might apply to their environment.

• Environment specific policies can’t override tenant-wide DLP policies.

• For example, if you only allow use of Common Data Service
connectors in an environment, an individual user that is only an
environmental admin can’t override that policy to allow social
network connectors to be used.
 Creating New DLP
Policies
• When you create a new DLP policy,
you must provide policy name to
differentiate its scope from other
policies already created or you
might need to create later.
• Then click Next.
 Configuring
connectors for a
DLP policy
• By default, all connectors are considered
part of the Non-Business data allowed
list and no connectors are included in
Business group.
• This effectively means that all connectors
can be used with other connectors.
• When new connectors are added they
are added to the Default category which
is Non-Business group.
• If you would prefer you can change
which category is considered the default,
and then all new connectors released by
Microsoft will be classified in that
category by default.
• Select any third-party connector (Non-
Microsoft) to be classified as Blocked
La
b:
Exercise 1

Create DLP Policy

using GUI
Step 1) Create DLP
Policy for
Development and
Production
Environments
• Using tenant global admin, navigate
to Power Platform Admin Center
https://admin.powerplatform.microso
ft.com/dlp
• Click “Data policies” then click “New
Policy”
Step 1) Create DLP
Policy for
Development and
Production
Environments
• Define policy name and click Next
Step 1) Create DLP
Policy for
Development and
Production
Environments
• Group connectors into Business, Non-
Business and Blocked.
• Note that Microsoft connectors can’t
be blocked.
• Search for Twitter and Facebook and
block them.
• Click Next
Step 1) Create DLP
Policy for
Development and
Production
Environments
• Note: HTTP connectors became
available by default
Step 1) Create DLP
Policy for
Development and
Production
Environments
• Select policy scope
“Add all environments”
• Click Next
Step 1) Create DLP
Policy for
Development and
Production
Environments
• Review policy then click “Create policy”
End of Lab Exercise
La
b:
Exercise 2

Create DLP Policy

using PowerShell
 Step 1) Create DLP Policy for Default
Environment Using PowerShell
• Run Windows PowerShell as an administrator
• Install PowerApps PowerShell modules by running the following commands separately
• Install-Module -Name Microsoft.PowerApps.Administration.PowerShell –Force
• Install-Module -Name Microsoft.PowerApps.PowerShell -AllowClobber -Force
• Add Power Platform Admin account (global admin) by running below command
• Add-PowerAppsAccount
• This command will prompt a window to type username and password, use global admin
credentials then sign-in.
 Step 1) Create DLP Policy for Default
Environment Using PowerShell
• Get environment name
• Get-AdminPowerAppEnvironment *personal*
Where default is a part of the environment display name
• Copy EnvironmentName from the result.
 Step 1) Create DLP Policy for Default
Environment Using PowerShell

• Create new DLP policy for default environment scope only by running below
command
• New-AdminDlpPolicy -DisplayName “Default DLP" -EnvironmentName Default-c3084e53-f35c-4fce-bc8c-
799d5bbe2814
 Step 1) Create DLP Policy for Default
Environment Using PowerShell

• Navigate back to Policies in admin center to refresh the page

End of Lab Exercise
La
b:
Exercise 3

Update Existing
DLP Policy using
PowerShell
Step 1) Get
DLP Policies
• Run Windows PowerShell as an
administrator
• Add Power Platform Admin account
(global admin) by running below
command
• Add-PowerAppsAccount
• This command will prompt a
window to type username and
password, use global admin
credentials then sign-in.
• Type command to get tenant’s
policies
• Get-AdminDlpPolicy
End of Lab Exercise
© 2015 Microsoft Corporation. All rights reserved.