Forum Discussion
Need help with configuring DLP policies for Flow in O365
I'm trying to configure DLP policies for Flow in O365. Understand that the idea is that you can't create flows by combining connectors from the two groups (Business data only & No business data allowed).
I have created a DLP policy with all the connectors in the "No business data allowed" group. My assumption was that you can create flows by combining the connectors in this group, but the Flow won't be able to access company data. Have created 3 flows and they all work:
- Automatically upload new files from OneDrive for Business to OneDrive (consumer version)
- Save Office 365 email attachments to OneDrive (consumer version)
- Save Office 365 email attachments to OneDrive for Business
The DLP policy is applied to all environments, but it's not having any impact.
The only DLP policies I can create that have an impact are the ones where you add one or more connectors to the "Business data only" group. By adding only 1 connector in that group, users won't be able to run Flows that combine that connector with connectors from the "No business data allowed" group. Adding multiple connectors to the "Business data only" group allows users to create Flows by combining these connectors.
What I would like to achieve is the following:
- Allow users to create Flows by combining Office 365 connectors (business data stays within the company)
- Allow users to create Flows where info from the outside world is stored within the O365 environment (e.g. save Tweets with specific hashtag in Teams)
- Don't allow business data to leave the company (e.g. copy O365 Outlook meetings to Google calendar)
Can someone explain how can I set this up?
Hi Pooya Obbohat - so, your assumption is correct regarding the relationship between the two groups, that is "you can't create flows by combining connectors from the two groups (Business data only & No business data allowed)." But as for your objectives, let's walk through them:
1. Allow users to create Flows by combining Office 365 connectors (business data stays within the company)
RECOMMENDATION: Add the O365 connectors to the "Business data only" group. See attachment for how this might look.
With that in place, users can create Flows with connectors from the O365 group that can interact with one another, but they cannot create Flows that interact with those on the "no-Business data allowed" group.
2. Allow users to create Flows where info from the outside world is stored within the O365 environment (e.g. save Tweets with specific hashtag in Teams)
NOT POSSIBLE: The DLP engine is bi-directional, so when you add connectors in to a group, the data can go in both directions. To use your example, if you add Twitter to the "Business data only" group, you can achieve the requirement to save Tweets based on a specific hashtag to Teams, but you can also send data out to Twitter too, which from your requirements you don't wish to do. I have had discussions with the product group on the idea of uni-directional policies, but nothing has been committed to at this time.
3. Don't allow business data to leave the company (e.g. copy O365 Outlook meetings to Google calendar)
RECOMMENDATION: See point 1. above, but you probably know that based on what I shared above. Like us you would like all 3 scenarios to be possible, while protecting your data. The solution is not quite there yet.
- Clifford KennedyIron Contributor
Hi Pooya Obbohat - so, your assumption is correct regarding the relationship between the two groups, that is "you can't create flows by combining connectors from the two groups (Business data only & No business data allowed)." But as for your objectives, let's walk through them:
1. Allow users to create Flows by combining Office 365 connectors (business data stays within the company)
RECOMMENDATION: Add the O365 connectors to the "Business data only" group. See attachment for how this might look.
With that in place, users can create Flows with connectors from the O365 group that can interact with one another, but they cannot create Flows that interact with those on the "no-Business data allowed" group.
2. Allow users to create Flows where info from the outside world is stored within the O365 environment (e.g. save Tweets with specific hashtag in Teams)
NOT POSSIBLE: The DLP engine is bi-directional, so when you add connectors in to a group, the data can go in both directions. To use your example, if you add Twitter to the "Business data only" group, you can achieve the requirement to save Tweets based on a specific hashtag to Teams, but you can also send data out to Twitter too, which from your requirements you don't wish to do. I have had discussions with the product group on the idea of uni-directional policies, but nothing has been committed to at this time.
3. Don't allow business data to leave the company (e.g. copy O365 Outlook meetings to Google calendar)
RECOMMENDATION: See point 1. above, but you probably know that based on what I shared above. Like us you would like all 3 scenarios to be possible, while protecting your data. The solution is not quite there yet.
- Brian ReeseSteel Contributor
Good day Clifford Kennedy! Perhaps you can help me on something related to this. My company has the desire to only use the connectors provided by Microsoft as well and keep the data contained in Office 365 precisely as you described. Can you point towards any documentation that clearly defines what is a Microsoft controlled containor and what isn't? When I look at a page like this one: https://docs.microsoft.com/en-us/connectors/approvals/ I can't get the assurance that my company needs to say yes that is a Microsoft owned app contained in Office 365 / Azure.
Thanks kindly!
- Clifford KennedyIron Contributor
Hi Brian Reese - great question. I raised the exact some thing with the product group a few months back - let me check with a contact and see if this is now in the works.