How to secure Power Automate / Flow

%3CLINGO-SUB%20id%3D%22lingo-sub-1470461%22%20slang%3D%22en-US%22%3EHow%20to%20secure%20Power%20Automate%20%2F%20Flow%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1470461%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20wondering%20how%20to%20best%20secure%20Power%20Automate%20to%20prevent%20data%20leaks.%20I%20can%20see%20that%20there%20is%20the%20connector%20config%20where%20you%20can%20divide%20them%20into%20two%20separate%20groups%20that%20cannot%20talk%20to%20each%20other.%20It%20might%20therefore%20seem%20sensible%20to%20put%20the%20MS%20ones%20into%20one%20group%20and%20the%20others%20into%20the%20other.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%20even%20if%20the%20MS%20service%20connectors%20are%20all%20in%20a%20group%20together%2C%20they%20don't%20specify%20which%20Azure%20or%20Office%20365%20tenant%20you%20can%20connect%20to.%20This%20still%20feels%20like%20a%20bit%20of%20a%20risk%20since%20users%20could%20hook%20up%20a%20flow%20to%20a%20personal%20tenant...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20you%20look%20at%20Teams%20apps%20they%20suffer%20form%20the%20same%20issue%2C%20e.g.%20the%20Forms%20app%20allows%20me%20to%20connect%20to%20any%20Forms%20account%20not%20just%20the%20current%20one%20I%20am%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%20that%20some%20things%20like%20tenant%20restriction%20feature%20at%20the%20proxy%20can%20stop%20you%20from%20accessing%20those%20other%20tenants%20when%20on%20company%20network.%20Also%20Conditional%20Access%20can%20do%20things%20like%20make%20sure%20you%20can%20only%20access%20these%20services%20from%20certain%20trusted%20locations%20etc%20but%20as%20people%20start%20to%20use%20mobile%20devices%20and%20so%20on%2C%20I%20cannot%20trust%20them%20aways%20being%20on%20the%20company%20network.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20allow%20use%20of%20Power%20Automate%20within%20our%20Office%20365%20tenant%20but%20only%20connect%20to%20other%20services%20in%20that%20tenant.%20Is%20this%20even%20possible%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1470461%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMicrosoft%20Flow%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPower%20Automate%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Deleted
Not applicable

I am wondering how to best secure Power Automate to prevent data leaks. I can see that there is the connector config where you can divide them into two separate groups that cannot talk to each other. It might therefore seem sensible to put the MS ones into one group and the others into the other.

 

However even if the MS service connectors are all in a group together, they don't specify which Azure or Office 365 tenant you can connect to. This still feels like a bit of a risk since users could hook up a flow to a personal tenant...

 

When you look at Teams apps they suffer form the same issue, e.g. the Forms app allows me to connect to any Forms account not just the current one I am in.

 

I know that some things like tenant restriction feature at the proxy can stop you from accessing those other tenants when on company network. Also Conditional Access can do things like make sure you can only access these services from certain trusted locations etc but as people start to use mobile devices and so on, I cannot trust them aways being on the company network.

 

I want to allow use of Power Automate within our Office 365 tenant but only connect to other services in that tenant. Is this even possible?

 

0 Replies