Custom Connector support for DLP
In my last article I explained how to create a custom connector and in this article I will explain how to add a custom connector to a Data Loss Prevention (DLP) policy.
I wrote about how Data Loss Prevention policies work in PowerApps and Flow in this article, if you need a refresher.
Microsoft introduced HTTP and Custom Connector Support for Data Loss Prevention Policies in January this year. I recommend reading that article first.
Prerequisites
To be able to create a DLP to manage custom connectors (and HTTP actions) you will need a couple things:
- Office 365 Global Admin role or AAD Global Admin role
- Paid or trial Plan 2 license
- Install the PowerApps modules for PowerShell
- Basic PowerShell knowledge
The PowerShell syntax
To add a custom connector to a DLP we have to use the Add-CustomConnectorToPolicy cmdlet with this syntax:
As you tell from the syntax, we need a few things before we can add a custom connector to a DLP:
- PolicyName – The policy name.
- ConnectorName – The connector's name (not the display name).
- GroupName – Accepted values lbi or hbi – lbi is for the No Business Data Allowed group and hbi is for Business Data Only.
- ConnectorId – The custom connector ID.
- ConnectorType – The custom connector type.
- ApiVersion – The api version to call with. The default value is 2018-01-01.
The next step here is to create the DLP to get the PolicyName and, after that, we will get the rest of the details.
Creating the DLP
I currently have 2 DLPs in my tenant which I created through the UI.
To create a new DLP to handle custom connectors, you will have to use the PowerShell command below – I named my policy Custom Connectors:
This command contains a parameter -SchemaVersion to which you have to pass the 2018-11-01 version.
The reason you have to use this version is to ensure that the DLP will support custom connectors and HTTP actions.
If you did everything right, the result will look like below. Notice that the PolicyName is a GUID – copy the GUID because you will need it later:
DisplayName : Custom Connectors
CreatedTime : 2019-05-10T05:03:47.7271705Z
CreatedBy : @{id=3a5c33ab-949c-445b-8032-efe18d02a234; displayName=Superman; email=superman@superheroes.onmicrosoft.com; type=User;
tenantId=cf811315-a2b6-44a6-94c6-1d78a2b08e8d; userPrincipalName=superman@superheroes.onmicrosoft.com}
LastModifiedTime : 2019-05-10T05:03:47.7271705Z
LastModifiedBy : @{id=3a5c33ab-949c-445b-8032-efe18d02a234; displayName=Superman; email=superman@superheroes.onmicrosoft.com; type=User;
tenantId=cf811315-a2b6-44a6-94c6-1d78a2b08e8d; userPrincipalName=superman@superheroes.onmicrosoft.com}
Constraints :
BusinessDataGroup : {}
NonBusinessDataGroup : {}
FilterType :
Environments :
If you go back to the PowerApps Admin Center you will see the policy in the UI under Data Policies:
Managing HTTP actions in the DLP
Now that the DLP is created, you can add the HTTP actions to one of the data groups in the DLP.
By default, the HTTP actions will sit in the No business data allowed data group, as shown below:
Now you can add the actions to the Business Data Only data group if you want to isolate them from other connectors.
To do this, click the Add button in the Business Data Only data group, search for "http" in the Add connectors dialog, select the HTTP actions and click the Add connectors button.
This will add the HTTP actions to the Business Data Only data group as shown below:
That is all that you have to do to manage HTTP actions in a Data Loss Prevention policy.
Obviously, you can create multiple DLPs, perhaps one to handle HTTP actions and another one to handle one or more custom connectors.
Now I will explain how to add a custom connector to a DLP.
Identifying the Custom Connector
I have the PolicyName from the previous step and now I need the rest of the details.
The next thing you need to do is to identify the custom connector you want to add to the DLP and get its display name.
In my case, the custom connector I want to add is Yelp and I can find it by going to the PowerApps Portal or Flow Portal >> Data >> Custom Connectors
If you want to know how I built this connector, read this article.
Clicking on the Yelp connector will open the Details page.
On this Details page I can see the connector's display name, its description, who created it, and the authentication type, but in order to manage this connector in a DLP I will need the connector's identifier (aka ConnectorName) which is not exposed in this UI.
Getting the custom connector details
Now that I know the name of my custom connector, I can query it in PowerShell and get its ConnectorName using this command:
This command will return the connector properties, including the ConnectorName, ConnectorId, and type.
The type is a key in the connector's Internal property which contains the connector type value. As you can see below, in this case, the connector type is Microsoft.PowerApps/apis:
ConnectorId : /providers/Microsoft.PowerApps/scopes/admin/environments/Default-cf811315-a2b6-44a6-94c6-1d78a2b08e8d/apis/shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76 EnvironmentName : Default-cf811315-a2b6-44a6-94c6-1d78a2b08e8d
CreatedTime : 2019-04-08T06:05:37.7594443Z
ChangedTime : 2019-05-06T05:00:15.8871843Z
DisplayName : Yelp
Description : Yelp! connector
Publisher : Superman
Source : powerapps-user-defined
Tier : Standard
Url : https://msmanaged-na.azure-apim.net/apim/yelp.5f2a67e956e74d0db1.5f77834d48371e7a76
ConnectionParameters : @{api_key=}
Swagger :
WadlUrl :
Internal : @{name=shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76; id=/providers/Microsoft.PowerApps/apis/shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76; type=Microsoft.PowerApps/apis; properties=}
Adding the custom connector to DLP
Now that we have the policy name, the connector name, the connector ID, and the connector type, we can run the Add-CustomConnectorToPolicy command:
And if we did everything right, we will get a 200 response back:
Description : OK
Error :
Errors :
Internal : {"id":"/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/68f4ad82-8954-4962-903d-2e8118d834b6″,"type":"Microsoft.BusinessAppPlatform/scopes/apiPolicies","name":
"68f4ad82-8954-4962-903d-2e8118d834b6″,"tags":{},"properties":{"displayName":"Custom Connectors","createdTime":"2019-05-10T05:03:47.7271705Z","createdBy":{"id":"3a5c33ab-949c-4
45b-8032-efe18d02a234″,"displayName":"Superman","email":"superman@superheroes.onmicrosoft.com","type":"User","tenantId":"cf811315-a2b6-44a6-94c6-1d78a2b08e8d","userPrincipalNam
e":"superman@superheroes.onmicrosoft.com"},"lastModifiedTime":"2019-05-15T05:49:17.7995853Z","lastModifiedBy":{"id":"3a5c33ab-949c-445b-8032-efe18d02a234″,"displayName":"Superm
an","email":"superman@superheroes.onmicrosoft.com","type":"User","tenantId":"cf811315-a2b6-44a6-94c6-1d78a2b08e8d","userPrincipalName":"superman@superheroes.onmicrosoft.com"},"
definition":{"$schema":"https://schema.management.azure.com/providers/Microsoft.BusinessAppPlatform/schemas/2018-11-01/apiPolicyDefinition.json#","constraints":{},"apiGroups":{
"lbi":{"description":"No business data allowed","apis":[]},"hbi":{"description":"Business data only","apis":[{"id":"/providers/Microsoft.PowerApps/scopes/admin/environments/Def
ault-cf811315-a2b6-44a6-94c6-1d78a2b08e8d/apis/shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76″,"name":"shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76″,"type":"Microsoft.P
owerApps/apis"}]}},"defaultApiGroup":"lbi","rules":{"dataFlowRule":{"type":"DataFlowRestriction","parameters":{"destinationApiGroup":"lbi","sourceApiGroup":"hbi"},"actions":{"b
lockAction":{"type":"Block"}}}}}}}
This is how it looks in the UI:
Removing the custom connector from the DLP
To remove the connector, we can run the Remove-CustomConnectorFromPolicy command. We only need the PolicyName and ConnectorName:
Hi Alex,
Does this only work in the tenant level?
I tried to setup this in the environment level Data Policy, but it did not work in the PowerApps, despite all are displayed just as you explained.
Hi! HTTP connectors are at tenant-level, meaning that if you create a tenant-level policy and include the HTTP connectors, it will affect all environments. Custom Connectors are environment-level resources, meaning that you can't create a connection in environment A to connector to a custom connector in environment B. In this case you would have to create the connector in environment B as well and therefore have 2 separate custom connectors and then apply the DLP for each at environment level. Hope that helps.
Hi Alex,
your explanation is understood. However the relevant important point, stated in the docs is: (all this is in the version state May 2020)
– https://docs.microsoft.com/en-us/power-platform/admin/wp-data-loss-prevention#combined-effect-of-multiple-dlp-policies
– Note that the most restrictive grouping is finally imposed when all the policies applicable to an environment are evaluated together.
In my case, the global policy was defined in the tenant level. So whatever I did with custom connector in the environment level policy, just DID NOT work.
After several emails with Microsoft support, they gave me the working solution:
– Exclude the environment policy in the global policy.
After the environment policy is excluded, the custom connectors settings there works as explained.
Thanks a lot for this blog, it helped me to use the powershell.
Regards,
HSU
You're correct. The tenant level policy will override the environment-level policy, sorry for not making that clear.
Thank you for this post!
For some reason I'm not able to get back the Type for a custom HTTP connector I built. Is this a standard list and I could try some other values for ConnectorType?
Hi Drew, the only way you can get the type today is by using fiddler or the web trace from the browser. In Chrome go to flow.microsoft.com, navigate to your custom connectors list, press F12 or ctrl+shift+i which will open dev tools, in dev tools go to network tab, click on your custom connector to see its details, in the network trace you will find the custom connector query where you will be able to see the type in the query response. I hope that helps. I can't remember the exact query name off the top of my head, hence my recommendation to turn on dev tools right before clicking on the connector, to avoid network clutter. I am not sure why it is no longer exposed in PS, but the property exists.
Very helpful!