Overview
Data Loss Prevention (DLP) in Power Automate is a security feature that helps organizations protect sensitive data, prevent unauthorized access, and comply with security regulations. DLP policies ensure that data does not flow between restricted services or leave the organization’s control, minimizing data leakage risks.
Prevent unauthorized data sharing between apps and services
Control which connectors can be used together
Enforce security compliance (GDPR, HIPAA, etc.)
Monitor and audit flow activities to detect data leaks
1️⃣ Why is DLP Important in Power Automate?
Preventing Data Leaks – Stops sensitive data from being sent to external or unauthorized locations.
Maintaining Compliance – Ensures adherence to GDPR, HIPAA, ISO 27001, SOC 2, and other regulations.
Minimizing Security Risks – Restricts high-risk connectors like personal email, social media, and external file-sharing services.
Preventing Insider Threats – Blocks unauthorized users from exporting or sharing confidential business information.
Example: A company enforces a DLP policy that prevents financial data in SharePoint from being sent to Gmail, Twitter, or Dropbox.
2️⃣ How DLP Policies Work in Power Automate
DLP policies classify connectors into three categories:
1. Business Connectors (Allowed for Workflows)
✔️ These connectors are approved for business use.
✔️ Data can flow freely between these connectors.
Example: Dynamics 365, SharePoint, Outlook, SQL Server, Power BI.
2. Non-Business Connectors (Restricted from Business Data)
❌ These connectors are restricted from accessing business data.
❌ Data cannot be shared between Business and Non-Business connectors.
Example: Twitter, Gmail, Facebook, Dropbox, YouTube.
3. Blocked Connectors (Fully Restricted)
🚫 These connectors cannot be used in any flow within the organization.
🚫 Prevents all data movement to external or risky services.
Example: Telegram, TikTok, Public APIs, Personal Cloud Storage.
3️⃣ How to Create a DLP Policy in Power Automate
Step 1: Access the Power Platform Admin Center
1️⃣ Go to Power Platform Admin Center
2️⃣ Click on Data Policies under Policies
Step 2: Create a New Policy
1️⃣ Click New Policy
2️⃣ Enter a Policy Name (e.g., “Finance Data Protection Policy”)
Step 3: Define Business & Non-Business Connectors
1️⃣ Select the environment where the policy will apply.
2️⃣ Categorize connectors into:
- Business (Allowed for workflows)
- Non-Business (Cannot mix with Business)
- Blocked (Fully restricted)
Example: Salesforce and SharePoint are Business connectors, while Twitter and Dropbox are Non-Business connectors.
Step 4: Apply the Policy to Users or Environments
1️⃣ Select who the policy applies to:
- Specific users
- Specific environments
- Entire organization
2️⃣ Click Save and Publish
Example: A DLP policy is applied only to the “Production Environment”, ensuring security while allowing testing in the “Development Environment.”
4️⃣ Enforcing DLP Policies for Security Compliance
1. Restrict Data Sharing Across Business & Non-Business Apps
✔️ Block workflows that send sensitive corporate data (e.g., SharePoint, SQL Server) to external services (e.g., Twitter, Gmail).
✔️ Prevent unauthorized data transfers to personal cloud storage (Google Drive, Dropbox).
Example: A user tries to send a customer list from Power BI to a personal Gmail account, but the DLP policy blocks the flow.
2. Protecting Personal & Financial Data
✔️ Enforce GDPR & HIPAA compliance by blocking access to customer records from risky connectors.
✔️ Prevent credit card data or personal health information (PHI) from being sent to unapproved apps.
Example: A DLP policy blocks Power Automate from sending patient records from Microsoft Dataverse to an external chat application.
3. Monitoring & Auditing Data Policies
✔️ Use Power Platform Admin Center to track DLP violations.
✔️ Enable Audit Logs in Microsoft Purview Compliance Center for security oversight.
✔️ Set up alerts for unauthorized data transfers.
Example: An alert is triggered when an employee attempts to share company financial data from OneDrive to an external email.