Enable tenant isolation for Azure AD-based auth connections
Important
This content is archived and is not being updated. For the latest documentation, go to Administer Microsoft Power Platform. For the latest release plans, go to Dynamics 365, Power Platform, and Cloud for Industry release plans.
| Enabled for | Public preview | General availability |
|---|---|---|
| Admins, makers, marketers, or analysts, automatically | 
Feb 28, 2022 |
May 10, 2023 |
Business value
Admins can manage data exfiltration and infiltration risks for Azure AD-based connectors in their tenants by turning on tenant isolation for Microsoft Power Platform connections. This will prohibit connections from your tenant to external tenants. It will block other tenants from establishing Power Platform connections to your tenant.
For legitimate business use cases where these cross-tenant connections are required, admins can specify an allowed list of tenants that are exempt from tenant isolation. Admins can also specify the direction of permitted cross-tenant connections (inbound from external tenant, outbound from your tenant, or both).
Feature details
Enable/disable tenant isolation using the self-serve capability in the Power Platform admin center: When tenant isolation is turned on, all Azure AD-based connectors can't be used to create cross-tenant connections to or from your tenant. Previously, customers had to create a support ticket to enable tenant isolation. Now, we're allowing you to manage your own tenant isolation settings through the Power Platform admin center.
Choose an allowed list of tenants that are exempt from tenant isolation: This new capability within tenant isolation allows legitimate business scenarios to continue connecting to explicitly-identified tenants, even as everything else is disallowed. The wildcard character (*) is supported if all tenants must be enabled in an inbound or outbound direction, instead of identifying specific tenants.
See also
Establishing a DLP strategy (docs)