Latest Posts

Managing Power Platform Data Policies using PowerShell

Posted on by Rishan Solutions

Loading

Power Platform Data Loss Prevention (DLP) policies help administrators control how data is shared across Microsoft Power Automate, Power Apps, and other Power Platform services. Using PowerShell, you can create, update, and manage these policies effectively.

Step 1: Install and Import Required PowerShell Modules

Ensure that you have the required PowerShell modules installed before managing DLP policies.

# Install Power Platform PowerShell modules
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser -Force

# Import the module
Import-Module Microsoft.PowerApps.Administration.PowerShell

Step 2: Authenticate to Power Platform

You need administrator privileges to manage DLP policies. Use the following command to sign in:

# Connect to Power Platform
Add-PowerAppsAccount

For service principal authentication:

$AppId = "YOUR_APP_ID"
$TenantId = "YOUR_TENANT_ID"
$CertificateThumbprint = "YOUR_CERT_THUMBPRINT"

Connect-AdminPowerAppEnvironment -ApplicationId $AppId -TenantId $TenantId -CertificateThumbprint $CertificateThumbprint

Step 3: List Existing Data Policies

To check all existing DLP policies in your environment:

# Retrieve all DLP policies
$dlpPolicies = Get-AdminDlpPolicy
$dlpPolicies | Format-Table DisplayName, Description, CreatedTime, ModifiedTime

To filter policies by name:

$policyName = "Your Policy Name"
$dlpPolicy = Get-AdminDlpPolicy | Where-Object { $_.DisplayName -eq $policyName }
$dlpPolicy

Step 4: Create a New Data Policy

To create a new DLP policy that restricts certain connectors, use:

# Define policy name and description
$policyName = "Restricted Connectors Policy"
$description = "This policy restricts usage of external connectors."

# Create a new policy
New-AdminDlpPolicy -DisplayName $policyName -Description $description

Step 5: Assign Connectors to Policy Categories

Power Platform DLP policies categorize connectors into Business, Non-Business, and Blocked groups.

# Get the policy ID
$dlpPolicy = Get-AdminDlpPolicy | Where-Object { $_.DisplayName -eq "Restricted Connectors Policy" }
$policyId = $dlpPolicy.PolicyId

# Assign connectors to specific categories
Set-AdminDlpPolicy -PolicyId $policyId -ConnectorLists @(
    @{ ConnectorName="sharepoint"; Classification="Business" },
    @{ ConnectorName="twitter"; Classification="Blocked" },
    @{ ConnectorName="gmail"; Classification="NonBusiness" }
)

Step 6: Update an Existing DLP Policy

To modify an existing policy, such as adding a new restricted connector:

# Add another blocked connector
Set-AdminDlpPolicy -PolicyId $policyId -ConnectorLists @(
    @{ ConnectorName="dropbox"; Classification="Blocked" }
)

Step 7: Assign the DLP Policy to Environments

To apply the policy to specific environments:

# Get environment ID
$environment = Get-AdminPowerAppEnvironment | Where-Object { $_.DisplayName -eq "Your Environment Name" }
$envId = $environment.EnvironmentName

# Assign the policy to the environment
Set-AdminDlpPolicyEnvironment -PolicyId $policyId -EnvironmentNames @($envId)

Step 8: Remove a Connector from the Policy

To remove a connector from a policy:

# Remove the Gmail connector from the policy
Set-AdminDlpPolicy -PolicyId $policyId -ConnectorLists @(
    @{ ConnectorName="gmail"; Classification="" }  # Empty classification removes it
)

Step 9: Delete a DLP Policy

To remove an existing data policy:

# Remove the policy
Remove-AdminDlpPolicy -PolicyId $policyId -Confirm:$false

Step 10: Export DLP Policies for Auditing

To generate a report of all DLP policies:

$dlpPolicies | Select-Object DisplayName, Description, CreatedTime, ModifiedTime | Export-Csv -Path "C:\PowerPlatform\DlpPolicies.csv" -NoTypeInformation

Step 11: Disconnect Session (Optional)

To log out from Power Platform:

Disconnect-AdminPowerAppEnvironment

Leave a Reply

Your email address will not be published. Required fields are marked *