Edit

Connector action control

  • Article

You can use connector action control to allow or block individual actions within a given connector. On the Connectors page, right-click the connector, and then select Configure connector > Connector actions.

Select Configure connector > Connector actions.

Note

Configuring a connector's actions is available for all blockable connectors, but not for unblockable connectors and custom connectors.

When configuring the connector, use the side panel to allow or deny specific actions. You can also set the default value (Allow or Deny) for any new connector actions that will be added to the connector in the future.

Set Allow or Deny for connector actions.

Known limitations

Some Power Apps published before October 1, 2020, need to be re-published for connector action rules for data loss prevention (DLP) to be enforced. The script below helps admins and makers identify the apps that must be re-published.

Add-PowerAppsAccount

$GranularDLPDate = Get-Date -Date "2020-10-01 00:00:00Z"

ForEach ($app in Get-AdminPowerApp){

    $versionAsDate = [datetime]::Parse($app.LastModifiedTime)
    
    $olderApp = $versionAsDate -lt $GranularDLPDate

    $wasBackfilled = $app.Internal.properties.executionRestrictions -ne $null -and $app.Internal.properties.executionRestrictions.dataLossPreventionEvaluationResult -ne $null -and ![string]::IsNullOrEmpty($app.Internal.properties.executionRestrictions.dataLossPreventionEvaluationResult.lastAdvancedBackfillDate) 

    If($($olderApp -and !$wasBackfilled)){
        Write-Host "App must be republished to be Granular DLP compliant: " $app.AppName " "  $app.Internal.properties.displayName " " $app.Internal.properties.owner.email
    } 
    Else{ 
        Write-Host "App is already Granular DLP compliant: " $app.AppName 
    }
}

PowerShell support for connector action control

Retrieve a list of available actions for a connector

Get-AdminPowerAppConnectorAction

Example

Get-AdminPowerAppConnectorAction -ConnectorName shared_msnweather
ID Type Properties
TodaysForecast Microsoft.ProcessSimple/apis/apiOperations @{summary=Get forecast for today; description=Get the forecast for the current day in the specified location.
OnCurrentWeatherChange Microsoft.ProcessSimple/apis/apiOperations @{summary=When the current weather changes; description=Triggers a new flow when the specified weather measure changes.
CurrentWeather Microsoft.ProcessSimple/apis/apiOperations @{summary=Get current weather; description=Get the current weather for a location.; visibility=advanced
TomorrowsForecast Microsoft.ProcessSimple/apis/apiOperations @{summary=Get the forecast for tomorrow; description=Get the forecast for tomorrow in the specified location.
OnCurrentConditionsChange Microsoft.ProcessSimple/apis/apiOperations @{summary=When the current conditions change; description=Triggers a new flow when the conditions change for a locattion.

Configure connector action rules for a policy

The object that contains connector action rules for a policy is referred to below as the connector configurations.

The connector configurations object has the following structure:

$ConnectorConfigurations = @{ 
  connectorActionConfigurations = @( # array – one entry per connector
    @{  
      connectorId # string
      actionRules = @( # array – one entry per rule 
        @{ 
          actionId # string
          behavior # supported values: Allow/Block
        }
      ) 
      defaultConnectorActionRuleBehavior # supported values: Allow/Block
    } 
  ) 
}

Retrieve existing connector configurations for a DLP policy

Get-PowerAppDlpPolicyConnectorConfigurations

Create connector configurations for a DLP policy

New-PowerAppDlpPolicyConnectorConfigurations

Update connector configurations for a DLP policy

Set-PowerAppDlpPolicyConnectorConfigurations

Example

Goal:

  • Block actions TodaysForecast and CurrentWeather of connector MSN Weather; allow all other actions.
  • Allow action GetRepositoryById of connector GitHub; block all other actions.

Note

In the following cmdlet, PolicyName refers to the unique GUID. You can retrieve the DLP GUID by running the Get-DlpPolicy cmdlet.

$ConnectorConfigurations = @{ 
  connectorActionConfigurations = @(
    @{  
      connectorId = "/providers/Microsoft.PowerApps/apis/shared_msnweather" 
      actionRules = @(
        @{ 
          actionId = "TodaysForecast" 
          behavior = "Block"
        }, 
        @{ 
          actionId = "CurrentWeather" 
          behavior = "Block"
        } 
      ) 
      defaultConnectorActionRuleBehavior = "Allow"
    },
    @{  
      connectorId = "/providers/Microsoft.PowerApps/apis/shared_github" 
      actionRules = @(
        @{ 
          actionId = "GetRepositoryById" 
          behavior = "Allow"
        }
      ) 
      defaultConnectorActionRuleBehavior = "Block"
    } 
  ) 
}
New-PowerAppDlpPolicyConnectorConfigurations -TenantId $TenantId -PolicyName $PolicyName -NewDlpPolicyConnectorConfigurations $ConnectorConfigurations