Power Platform Data Loss Prevention (DLP) policies help administrators control how data is shared across Microsoft Power Automate, Power Apps, and other Power Platform services. Using PowerShell, you can create, update, and manage these policies effectively.
Step 1: Install and Import Required PowerShell Modules
Ensure that you have the required PowerShell modules installed before managing DLP policies.
# Install Power Platform PowerShell modules
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser -Force
# Import the module
Import-Module Microsoft.PowerApps.Administration.PowerShell
Step 2: Authenticate to Power Platform
You need administrator privileges to manage DLP policies. Use the following command to sign in:
# Connect to Power Platform
Add-PowerAppsAccount
For service principal authentication:
$AppId = "YOUR_APP_ID"
$TenantId = "YOUR_TENANT_ID"
$CertificateThumbprint = "YOUR_CERT_THUMBPRINT"
Connect-AdminPowerAppEnvironment -ApplicationId $AppId -TenantId $TenantId -CertificateThumbprint $CertificateThumbprint
Step 3: List Existing Data Policies
To check all existing DLP policies in your environment:
# Retrieve all DLP policies
$dlpPolicies = Get-AdminDlpPolicy
$dlpPolicies | Format-Table DisplayName, Description, CreatedTime, ModifiedTime
To filter policies by name:
$policyName = "Your Policy Name"
$dlpPolicy = Get-AdminDlpPolicy | Where-Object { $_.DisplayName -eq $policyName }
$dlpPolicy
Step 4: Create a New Data Policy
To create a new DLP policy that restricts certain connectors, use:
# Define policy name and description
$policyName = "Restricted Connectors Policy"
$description = "This policy restricts usage of external connectors."
# Create a new policy
New-AdminDlpPolicy -DisplayName $policyName -Description $description
Step 5: Assign Connectors to Policy Categories
Power Platform DLP policies categorize connectors into Business, Non-Business, and Blocked groups.
# Get the policy ID
$dlpPolicy = Get-AdminDlpPolicy | Where-Object { $_.DisplayName -eq "Restricted Connectors Policy" }
$policyId = $dlpPolicy.PolicyId
# Assign connectors to specific categories
Set-AdminDlpPolicy -PolicyId $policyId -ConnectorLists @(
@{ ConnectorName="sharepoint"; Classification="Business" },
@{ ConnectorName="twitter"; Classification="Blocked" },
@{ ConnectorName="gmail"; Classification="NonBusiness" }
)
Step 6: Update an Existing DLP Policy
To modify an existing policy, such as adding a new restricted connector:
# Add another blocked connector
Set-AdminDlpPolicy -PolicyId $policyId -ConnectorLists @(
@{ ConnectorName="dropbox"; Classification="Blocked" }
)
Step 7: Assign the DLP Policy to Environments
To apply the policy to specific environments:
# Get environment ID
$environment = Get-AdminPowerAppEnvironment | Where-Object { $_.DisplayName -eq "Your Environment Name" }
$envId = $environment.EnvironmentName
# Assign the policy to the environment
Set-AdminDlpPolicyEnvironment -PolicyId $policyId -EnvironmentNames @($envId)
Step 8: Remove a Connector from the Policy
To remove a connector from a policy:
# Remove the Gmail connector from the policy
Set-AdminDlpPolicy -PolicyId $policyId -ConnectorLists @(
@{ ConnectorName="gmail"; Classification="" } # Empty classification removes it
)
Step 9: Delete a DLP Policy
To remove an existing data policy:
# Remove the policy
Remove-AdminDlpPolicy -PolicyId $policyId -Confirm:$false
Step 10: Export DLP Policies for Auditing
To generate a report of all DLP policies:
$dlpPolicies | Select-Object DisplayName, Description, CreatedTime, ModifiedTime | Export-Csv -Path "C:\PowerPlatform\DlpPolicies.csv" -NoTypeInformation
Step 11: Disconnect Session (Optional)
To log out from Power Platform:
Disconnect-AdminPowerAppEnvironment