Connector action control
You can use connector action control to allow or block individual actions within a given connector. On the Connectors page, right-click the connector, and then select Configure connector > Connector actions.
Note
Configuring a connector's actions is available for all blockable connectors, but not for unblockable connectors and custom connectors.
When configuring the connector, use the side panel to allow or deny specific actions. You can also set the default value (Allow or Deny) for any new connector actions that will be added to the connector in the future.
Known limitations
Some Power Apps published before October 1, 2020, need to be re-published for connector action rules for data loss prevention (DLP) to be enforced. The script below helps admins and makers identify the apps that must be re-published.
Add-PowerAppsAccount
$GranularDLPDate = Get-Date -Date "2020-10-01 00:00:00Z"
ForEach ($app in Get-AdminPowerApp){
$versionAsDate = [datetime]::Parse($app.LastModifiedTime)
$olderApp = $versionAsDate -lt $GranularDLPDate
$wasBackfilled = $app.Internal.properties.executionRestrictions -ne $null -and $app.Internal.properties.executionRestrictions.dataLossPreventionEvaluationResult -ne $null -and ![string]::IsNullOrEmpty($app.Internal.properties.executionRestrictions.dataLossPreventionEvaluationResult.lastAdvancedBackfillDate)
If($($olderApp -and !$wasBackfilled)){
Write-Host "App must be republished to be Granular DLP compliant: " $app.AppName " " $app.Internal.properties.displayName " " $app.Internal.properties.owner.email
}
Else{
Write-Host "App is already Granular DLP compliant: " $app.AppName
}
}
PowerShell support for connector action control
Retrieve a list of available actions for a connector
Get-AdminPowerAppConnectorAction
Example
Get-AdminPowerAppConnectorAction -ConnectorName shared_msnweather
ID | Type | Properties |
---|---|---|
TodaysForecast | Microsoft.ProcessSimple/apis/apiOperations | @{summary=Get forecast for today; description=Get the forecast for the current day in the specified location. |
OnCurrentWeatherChange | Microsoft.ProcessSimple/apis/apiOperations | @{summary=When the current weather changes; description=Triggers a new flow when the specified weather measure changes. |
CurrentWeather | Microsoft.ProcessSimple/apis/apiOperations | @{summary=Get current weather; description=Get the current weather for a location.; visibility=advanced |
TomorrowsForecast | Microsoft.ProcessSimple/apis/apiOperations | @{summary=Get the forecast for tomorrow; description=Get the forecast for tomorrow in the specified location. |
OnCurrentConditionsChange | Microsoft.ProcessSimple/apis/apiOperations | @{summary=When the current conditions change; description=Triggers a new flow when the conditions change for a locattion. |
Configure connector action rules for a policy
The object that contains connector action rules for a policy is referred to below as the connector configurations.
The connector configurations object has the following structure:
$ConnectorConfigurations = @{
connectorActionConfigurations = @( # array – one entry per connector
@{
connectorId # string
actionRules = @( # array – one entry per rule
@{
actionId # string
behavior # supported values: Allow/Block
}
)
defaultConnectorActionRuleBehavior # supported values: Allow/Block
}
)
}
Retrieve existing connector configurations for a DLP policy
Get-PowerAppDlpPolicyConnectorConfigurations
Create connector configurations for a DLP policy
New-PowerAppDlpPolicyConnectorConfigurations
Update connector configurations for a DLP policy
Set-PowerAppDlpPolicyConnectorConfigurations
Example
Goal:
- Block actions TodaysForecast and CurrentWeather of connector MSN Weather; allow all other actions.
- Allow action GetRepositoryById of connector GitHub; block all other actions.
Note
In the following cmdlet, PolicyName refers to the unique GUID. You can retrieve the DLP GUID by running the Get-DlpPolicy cmdlet.
$ConnectorConfigurations = @{
connectorActionConfigurations = @(
@{
connectorId = "/providers/Microsoft.PowerApps/apis/shared_msnweather"
actionRules = @(
@{
actionId = "TodaysForecast"
behavior = "Block"
},
@{
actionId = "CurrentWeather"
behavior = "Block"
}
)
defaultConnectorActionRuleBehavior = "Allow"
},
@{
connectorId = "/providers/Microsoft.PowerApps/apis/shared_github"
actionRules = @(
@{
actionId = "GetRepositoryById"
behavior = "Allow"
}
)
defaultConnectorActionRuleBehavior = "Block"
}
)
}
New-PowerAppDlpPolicyConnectorConfigurations -TenantId $TenantId -PolicyName $PolicyName -NewDlpPolicyConnectorConfigurations $ConnectorConfigurations
Feedback
Submit and view feedback for