ASD's Blueprint for Secure Cloud

Connectors and Data Loss Prevention Policies

This section describes the design decisions associated with restricting access of connectors within Power Platform for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Power Apps and Power Automate are built with underlying connectors that enable applications to consume data from other services and define businesses process to act on this information. Power Apps and Power Automate connectors can be categorised as follows:

  • Microsoft 365 and Office 365 connectors – These connectors provide data access to Microsoft 365 and Office 365 applications (e.g. SharePoint, Teams)
  • Azure Services connectors – Azure services connectors provide Power Apps and Power Automate access to consume Azure Services (e.g. Azure Cosmos DB, Azure Computer Vision API)
  • Third Party connectors – Third Party connectors enable external vendors to provide a service to Power Apps and Power Automate (e.g. Adobe Reader Sign)
  • On-premises data connectors – On-premises data connectors enable Power Apps and Power Automate to consume data from a variety of sources such as SQL Server and SharePoint On-Premises
  • Custom connectors – in a situation when a connector is not present, a custom connector can be created to connect to a service that has a REST API

The following image shows consideration required for authentication process and requirements for each generalised group of connectors. The cloud services connector is required to be registered in Azure platform before it can be consumed in Power App and Power Automate. On-premises data access requires a service account for network access and a database service account access for Power Apps and Power Automate to consume its data.

Power Apps and Power Automate authentication flow

See Microsoft documentation for additional information on Power Apps and Power Automate authentication and security.

Data Loss Prevention Policies Overview

Organisations can create Power Platform data loss prevention (DLP) policies to act as guardrails which helps prevent users from unintentionally exposing organisational data via connectors. DLP policies can be scoped at the environment level or tenant level, offering flexibility to craft sensible policies that strike the right balance between protection and productivity. For tenant-level policies organisations can define the scope to be all environments, selected environments, or all environments except ones specifically excluded. Environment-level policies can be defined for one environment at a time.

DLP policies enforce rules for which connectors can be used together by classifying connectors as either Business or Non-Business grouping. Business group connectors can only be used with other connectors from that group in any given app or flow. Organisations may want to block the usage of certain connectors altogether by classifying them as Blocked.

Security & Governance

  • None identified

Design

  • None identified

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra