Edit

Share via


Prevent data exfiltration

By implementing data loss prevention (DLP) policies, configuring IP firewalls, and setting up tenant isolation, you guard against unauthorized access to data and enhance the security of your Power Platform resources.

Use data loss prevention policies

Data loss prevention (DLP) is a security solution that identifies and helps prevent unsafe or inappropriate sharing, transfer, or use of sensitive data.

Data loss prevention (DLP) policies help manage and control data sharing and movement across Power Apps, Power Automate, and other Power Platform components. These policies help organizations prevent data loss and ensure compliance with regulatory requirements and internal policies.

DLP best practices to consider include:

  • Blocking/isolating nonbusiness connectors, especially in default environments.
  • Blocking high risk operations such as HTTP, HTTP with Microsoft Entra ID and SharePoint URLs in environments with many makers.
  • Using endpoint filtering to make sure only expected endpoints can be reached.

Learn more:

Configure IP firewall in Power Platform environments

Environment admins can set up a range of IP addresses that can interact with Power Platform resources. Setting up IP firewalls ensures that only requests from specified IP addresses can trigger a workflow.

  • Set up IP restrictions in your Power Platform environment.
  • Define the allowed IP addresses or ranges that can access the HTTP request trigger.

Learn more: IP firewall in Power Platform environments

Configure tenant isolation

Power Platform has a rich ecosystem of connectors based on Microsoft Entra that allow authorized Microsoft Entra users to build compelling apps and flows establishing connections to the business data available through these data stores.

Tenant isolation makes it easy for administrators to ensure that these connectors are used securely within the tenant while minimizing the risk of data exfiltration outside the tenant. Tenant isolation lets Power Platform administrators effectively govern the movement of tenant data from Microsoft Entra authorized data sources to and from their tenant.

Learn more: Cross-tenant inbound and outbound restrictions

Configure Microsoft Entra conditional access policies

You can create Power Automate conditional access policies in addition to DLP, HTTP OAuth, and IP-pinning to prevent data exfiltration.

The minimum audience to include in conditional access policies includes:

Audience Endpoint
Your unique Dataverse org audience For example, https://{your-org}.crm.dynamics.com/
Power Platform https://api.powerplatform.com
Power Automate https://service.flow.microsoft.com/
Power Apps https://service.powerapps.com/
Connections https://apihub.azure.com

Learn more about the effect of conditional access policies on flows: Recommendations for conditional access and multifactor authentication in Microsoft Power Automate (Flow)