Custom Connector support for DLP
I will explain how to add a custom connector to a Data Loss Prevention (DLP) policy.
I wrote about how Data Loss Prevention policies work in PowerApps and Flow in this article, if you need a refresher.
Microsoft introduced HTTP and Custom Connector Support for Data Loss Prevention Policies in January this year. I recommend reading that article first.
Prerequisites
To be able to create a DLP to manage custom connectors (and HTTP actions) you will need a couple things:
The PowerShell syntax
To add a custom connector to a DLP we have to use the Add-CustomConnectorToPolicy cmdlet with this syntax:
Add-CustomConnectorToPolicy [-PolicyName] <String> [-ConnectorName] <String> [-GroupName] <String> [-ConnectorId] <String> [-ConnectorType] <String> [-ApiVersion] <String>
As you tell from the syntax, we need a few things before we can add a custom connector to a DLP:
- PolicyName – The policy name.
- ConnectorName – The connector's name (not the display name).
- GroupName – Accepted values lbi or hbi – lbi is for the No Business Data Allowed group and hbi is for Business Data Only.
- ConnectorId – The custom connector ID.
- ConnectorType – The custom connector type.
- ApiVersion – The api version to call with. The default value is 2018-01-01.
The next step here is to create the DLP to get the PolicyName and, after that, we will get the rest of the details.
Creating the DLP
I currently have 2 DLPs in my tenant which I created through the UI.
To create a new DLP to handle custom connectors, you will have to use the PowerShell command below – I named my policy Custom Connectors:
New-AdminDlpPolicy -DisplayName "Custom Connectors" -SchemaVersion 2018-11-01
This command contains a parameter -SchemaVersion to which you have to pass the 2018-11-01 version.
The reason you have to use this version is to ensure that the DLP will support custom connectors and HTTP actions.
If you did everything right, the result will look like below. Notice that the PolicyName is a GUID – copy the GUID because you will need it later:
PolicyName : 68f4ad82-8954-4962-903d-2e8118d834b6
DisplayName : Custom Connectors
CreatedTime : 2019-05-10T05:03:47.7271705Z
CreatedBy : @{id=3a5c33ab-949c-445b-8032-efe18d02a234; displayName=Superman; email=superman@superheroes.onmicrosoft.com; type=User;
tenantId=cf811315-a2b6-44a6-94c6-1d78a2b08e8d; userPrincipalName=superman@superheroes.onmicrosoft.com}
LastModifiedTime : 2019-05-10T05:03:47.7271705Z
LastModifiedBy : @{id=3a5c33ab-949c-445b-8032-efe18d02a234; displayName=Superman; email=superman@superheroes.onmicrosoft.com; type=User;
tenantId=cf811315-a2b6-44a6-94c6-1d78a2b08e8d; userPrincipalName=superman@superheroes.onmicrosoft.com}
Constraints :
BusinessDataGroup : {}
NonBusinessDataGroup : {}
FilterType :
Environments :
If you go back to the PowerApps Admin Center you will see the policy in the UI under Data Policies:
Managing HTTP actions in the DLP
Now that the DLP is created, you can add the HTTP actions to one of the data groups in the DLP.
By default, the HTTP actions will sit in the No business data allowed data group, as shown below:
Now you can add the actions to the Business Data Only data group if you want to isolate them from other connectors.
To do this, click the Add button in the Business Data Only data group, search for "http" in the Add connectors dialog, select the HTTP actions and click the Add connectors button.
This will add the HTTP actions to the Business Data Only data group as shown below:
That is all that you have to do to manage HTTP actions in a Data Loss Prevention policy.
Obviously, you can create multiple DLPs, perhaps one to handle HTTP actions and another one to handle one or more custom connectors.
Now I will explain how to add a custom connector to a DLP.
Identifying the Custom Connector
I have the PolicyName from the previous step and now I need the rest of the details.
The next thing you need to do is to identify the custom connector you want to add to the DLP and get its display name.
In my case, the custom connector I want to add is Yelp and I can find it by going to the PowerApps Portal or Flow Portal >> Data >> Custom Connectors
If you want to know how I built this connector, read this article.
Clicking on the Yelp connector will open the Details page.
On this Details page I can see the connector's display name, its description, who created it, and the authentication type, but in order to manage this connector in a DLP I will need the connector's identifier (aka ConnectorName) which is not exposed in this UI.
Getting the custom connector details
Now that I know the name of my custom connector, I can query it in PowerShell and get its ConnectorName using this command:
Get-AdminPowerAppConnector | Where-Object {$_.DisplayName -eq "yelp"}
This command will return the connector properties, including the ConnectorName, ConnectorId, and type.
The type is a key in the connector's Internal property which contains the connector type value. As you can see below, in this case, the connector type is Microsoft.PowerApps/apis:
ConnectorName : shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76
ConnectorId : /providers/Microsoft.PowerApps/scopes/admin/environments/Default-cf811315-a2b6-44a6-94c6-1d78a2b08e8d/apis/shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76 EnvironmentName : Default-cf811315-a2b6-44a6-94c6-1d78a2b08e8d
CreatedTime : 2019-04-08T06:05:37.7594443Z
ChangedTime : 2019-05-06T05:00:15.8871843Z
DisplayName : Yelp
Description : Yelp! connector
Publisher : Superman
Source : powerapps-user-defined
Tier : Standard
Url : https://msmanaged-na.azure-apim.net/apim/yelp.5f2a67e956e74d0db1.5f77834d48371e7a76
ConnectionParameters : @{api_key=}
Swagger :
WadlUrl :
Internal : @{name=shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76; id=/providers/Microsoft.PowerApps/apis/shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76; type=Microsoft.PowerApps/apis; properties=}
Adding the custom connector to DLP
Now that we have the policy name, the connector name, the connector ID, and the connector type, we can run the Add-CustomConnectorToPolicy command:
Add-CustomConnectorToPolicy -PolicyName "68f4ad82-8954-4962-903d-2e8118d834b6" -ConnectorName "shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76" -GroupName "hbi" -ConnectorId "/providers/Microsoft.PowerApps/scopes/admin/environments/Default-cf811315-a2b6-44a6-94c6-1d78a2b08e8d/apis/shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76" -ConnectorType "Microsoft.PowerApps/apis"
And if we did everything right, we will get a 200 response back:
Code : 200
Description : OK
Error :
Errors :
Internal : {"id":"/providers/Microsoft.BusinessAppPlatform/scopes/admin/apiPolicies/68f4ad82-8954-4962-903d-2e8118d834b6″,"type":"Microsoft.BusinessAppPlatform/scopes/apiPolicies","name":
"68f4ad82-8954-4962-903d-2e8118d834b6″,"tags":{},"properties":{"displayName":"Custom Connectors","createdTime":"2019-05-10T05:03:47.7271705Z","createdBy":{"id":"3a5c33ab-949c-4
45b-8032-efe18d02a234″,"displayName":"Superman","email":"superman@superheroes.onmicrosoft.com","type":"User","tenantId":"cf811315-a2b6-44a6-94c6-1d78a2b08e8d","userPrincipalNam
e":"superman@superheroes.onmicrosoft.com"},"lastModifiedTime":"2019-05-15T05:49:17.7995853Z","lastModifiedBy":{"id":"3a5c33ab-949c-445b-8032-efe18d02a234″,"displayName":"Superm
an","email":"superman@superheroes.onmicrosoft.com","type":"User","tenantId":"cf811315-a2b6-44a6-94c6-1d78a2b08e8d","userPrincipalName":"superman@superheroes.onmicrosoft.com"},"
definition":{"$schema":"https://schema.management.azure.com/providers/Microsoft.BusinessAppPlatform/schemas/2018-11-01/apiPolicyDefinition.json#","constraints":{},"apiGroups":{
"lbi":{"description":"No business data allowed","apis":[]},"hbi":{"description":"Business data only","apis":[{"id":"/providers/Microsoft.PowerApps/scopes/admin/environments/Def
ault-cf811315-a2b6-44a6-94c6-1d78a2b08e8d/apis/shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76″,"name":"shared_yelp.5f2a67e956e74d0db1.5f77834d48371e7a76″,"type":"Microsoft.P
owerApps/apis"}]}},"defaultApiGroup":"lbi","rules":{"dataFlowRule":{"type":"DataFlowRestriction","parameters":{"destinationApiGroup":"lbi","sourceApiGroup":"hbi"},"actions":{"b
lockAction":{"type":"Block"}}}}}}}
This is how it looks in the UI:
Removing the custom connector from the DLP
To remove the connector, we can run the Remove-CustomConnectorFromPolicy command. We only need the PolicyName and ConnectorName:
Remove-CustomConnectorFromPolicy -PolicyName "68f4ad82-8954-4962-903d-2e8118d834b6" -ConnectorName "shared_yelp.5f2a67e956