Data Loss Prevention (DLP) policies in Power Platform help protect sensitive data by controlling how connectors interact within Power Automate, Power Apps, and Dataverse. Using PowerShell, administrators can automate the creation, management, and enforcement of DLP policies.
This guide will cover:
Connecting to Power Platform Admin Center using PowerShell
Listing all DLP policies
Creating a new DLP policy
Adding or removing connectors from a policy
Assigning environments to a DLP policy
Deleting a DLP policy
Step 1: Prerequisites
Before managing DLP policies, ensure the following:
1. Install the Power Platform PowerShell Module
If you haven’t installed the Power Platform PowerShell module, run:
Install-Module -Name Microsoft.PowerPlatform.Administration -Scope CurrentUser -Force
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser -Force
2. Connect to Power Platform
Use an admin account to authenticate:
Add-PowerAppsAccount
You are now connected!
Step 2: List All Existing DLP Policies
To list all DLP policies, run:
Get-DlpPolicy | Select-Object DisplayName, EnvironmentName, CreatedTime
For a specific policy, filter by name:
Get-DlpPolicy -PolicyName "MyDLPPolicy"
All existing DLP policies are displayed!
Step 3: Create a New DLP Policy
To create a new DLP policy named “Restricted Connectors”:
New-DlpPolicy -DisplayName "Restricted Connectors" -Description "DLP policy to restrict certain connectors."
New DLP policy created!
Step 4: Add Connectors to a DLP Policy
DLP policies classify connectors into three categories:
1️⃣ Business – Allowed to share data with other Business connectors.
2️⃣ Non-Business – Can only interact with Non-Business connectors.
3️⃣ Blocked – Completely restricted.
4.1: Add Connectors to the Business Category
Set-DlpPolicyConnectorClassification -PolicyName "Restricted Connectors" -ConnectorName "sharepointonline" -ConnectorGroup Business
4.2: Add Connectors to the Non-Business Category
Set-DlpPolicyConnectorClassification -PolicyName "Restricted Connectors" -ConnectorName "twitter" -ConnectorGroup NonBusiness
4.3: Block a Connector
Set-DlpPolicyConnectorClassification -PolicyName "Restricted Connectors" -ConnectorName "gmail" -ConnectorGroup Blocked
Connectors are classified successfully!
Step 5: Assign Environments to a DLP Policy
List All Available Environments
Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName
Assign a DLP Policy to an Environment
Set-DlpPolicyEnvironments -PolicyName "Restricted Connectors" -EnvironmentName "Default-12345"
DLP policy applied to an environment!
Step 6: Remove a Connector from a DLP Policy
To remove a connector from a DLP policy:
Remove-DlpPolicyConnectorClassification -PolicyName "Restricted Connectors" -ConnectorName "twitter"
Connector removed from policy!
Step 7: Delete a DLP Policy
To delete a DLP policy:
Remove-DlpPolicy -PolicyName "Restricted Connectors" -Confirm:$false
DLP policy deleted!
Step 8: Automate DLP Policy Enforcement
Create a PowerShell script (EnforceDLP.ps1) to automate:
# Connect to Power Platform
Add-PowerAppsAccount
# Define Policy Name
$policyName = "Restricted Connectors"
# Check if Policy Exists
$policy = Get-DlpPolicy -PolicyName $policyName
if ($policy) {
Write-Host "DLP Policy '$policyName' already exists."
} else {
# Create DLP Policy
New-DlpPolicy -DisplayName $policyName -Description "Restrict certain connectors."
Write-Host "DLP Policy '$policyName' created successfully!"
}
# Classify Connectors
Set-DlpPolicyConnectorClassification -PolicyName $policyName -ConnectorName "sharepointonline" -ConnectorGroup Business
Set-DlpPolicyConnectorClassification -PolicyName $policyName -ConnectorName "twitter" -ConnectorGroup NonBusiness
Set-DlpPolicyConnectorClassification -PolicyName $policyName -ConnectorName "gmail" -ConnectorGroup Blocked
Write-Host "DLP Policy enforced successfully!"
DLP policy enforcement is now automated!