To me PowerApps and Flow is not concerned with controlling the access to connectors and the data they access, only how to use them together via their DLP offering. Control and access to the data should be done at the Tenant, Azure AD level, giving users access to only the data assets they require. Using offerings like AAD Conditional access and SSO to 3rd party services and apps(Google, Box, DropBox….).
Using’s the controls offered within AAD to enforce the same experiences on-premise to that of what can be on the Tenant/Cloud.
For an Example IF access to Dropbox is locked down on-premise, the URL to the login/authentication screen is blocked through Network Access Control Polices and Firewalls, so say I try to set up a Dropbox connector to use in Flow, I maybe unable to authenticate to Dropbox and in turn unable to set up the connector from On-Premise.
But if I open Office 365 from a mobile, off premise, try and set up a connector to Dropbox again, say this time I CAN authenticate and set up the connector, as I’m outside off the on-premise network accessing the O365 Tenant directly, so Network Access Control Polices and Firewalls rules do not take effect.
Now once the connector is set up it is available to use within PowerApps and Flow, even on premise as it is in my List of connection and I can just select it and use, as the token access has now been set up.
SO here It would be possible to access Dropbox Via flow on premise, which would be blocked elsewhere on-premise, in this scenario.
What I was looking for more details on is that if AAD is to to enforce Conditional access for SSO to services like Dropbox, via the enterprise applications section, then could we can control or monitor access from the Tenant, and once in place will PowerApps, Flow obey by these rules to give control access capabilities to the data that the connectors use and in turn access for connectors.
Example: In AAD add Dropbox to Enterprise application, and set it up for SSO, then use Conditional to only allow access by SSO, and add users access via AAD. Then when a user tries to login to Dropbox then they require access via AAD to use SSO. Now when setting up a Dropbox connector in Flow they will also need to Authenticate Via SSO to set up the connector, so access controlled via AAD(Or maybe there are other ways to provide a similar effect?)
(Then Later, further to this, MCAS can be adopted to govern how the 3rd party services are used, or how the data is used)