MS.POWERPLATFORM.2.1v1 - A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.

Information

All users in the tenant have access to the default Power Platform environment. Those users may inadvertently use connectors that share sensitive information with others who should not have access to it. Users requiring Power Apps should be directed to conduct development in other Power Platform environments with DLP connector policies customized to suit the user's needs while also maintaining the agency's security posture.

Solution

1. Sign in to your tenant environment's respective [Power Platform admin
center](https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls).

2. On the left pane, select Policies \> Data Policies.

3. Select the + New Policy icon to create a new policy.

4. Give the policy a suitable agency name and click Next.

5. At the Prebuilt connectors section, search and select the connectors currently in the Non-business | default tab containing sensitive data that can be utilized to create flows and apps.

6. Click Move to Business. Connectors added to this group can not share data with connectors in other groups because connectors can reside in only one data group at a time.

7. If necessary (and possible) for the connector, click Configure connector at the top of the screen to change connector permissions. This allows greater flexibility for the agency to allow and block certain connector actions for additional customization.

8. For the default environment, move all other connectors to the Blocked category. For non-blockable connectors noted above, the Block action will be grayed out and a warning will appear.

9. At the bottom of the screen, select Next to move on.

10. Add a custom connector pattern. Custom connectors allow admins to specify an ordered list of Allow and Deny URL patterns for custom connectors. View [DLP for custom connectors \| Microsoft Learn](https://learn.microsoft.com/en-us/power-platform/admin/dlp-custom-connector-parity?WT.mc_id=ppac_inproduct_datapol) for more information.

11. Click Next.

12. At the Scope section for the default environment, select Add multiple environments and add the default environment.

13. Select Next-\> Create Policy to finish.

Item Details

Audit Name: CISA SCuBA Microsoft 365 Power Platform v1.5.0

Category: ACCESS CONTROL, SECURITY ASSESSMENT AND AUTHORIZATION, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-4, 800-53|AC-6, 800-53|AC-16, 800-53|AC-20, 800-53|AC-23, 800-53|CA-3, 800-53|CA-7, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|SA-8, 800-53|SA-9, 800-53|SC-7, 800-53|SC-28, 800-53|SC-31, 800-53|SI-3, 800-53|SI-4, 800-53|SI-10, 800-53|SI-15

Plugin: microsoft_azure

Control ID: 0553f21fd18aecc44aa1afffe36f795df6e9e1d72e04c569cb9035fed95f2973

Detections

Analytics

MS.POWERPLATFORM.2.1v1 - A DLP policy SHALL be created to restrict connector access in the default Power Platform environment.

Information

Solution

See Also

Item Details