Introducing Data Loss Prevention Policies in Microsoft Flow

One of the most common pieces of feedback we heard from Preview users was the need to protect sensitive business data, hosted in enterprise services such as SharePoint and Dynamics 365, from leaving the company via consumer services such as Dropbox and Twitter. As part of our General Availability announcement, we are releasing the Microsoft Flow Admin Center which will enable administrators to create Data Loss Prevention (DLP) policies that define which services business data can be shared with when using Flow. In this blog post, I’ll walk you through how to create a DLP Policy for your company and the experience for your end users.

Environments and DLP

DLP policies apply to one or more environments. An environment is a space to store and manage your organization’s flows, PowerApps, and business data. Environments are geo-located, which means that the flows, apps and business data that live within an environment, will be in the region where the environment is located. All users have access to a default environment, within which they can create and manage their flows.   

As a tenant administrator, you can create a DLP policy that applies to one or more environments. For example, you could create a policy that applies to all environments in your tenant or just the Contoso USA environment.

As an environment administrator, you can create a DLP policy for only a single environment.

Data groups

Once you’ve defined the environment you want your policy to apply to, you can classify services into two data groups: Business data only and No business data allowed. Both Flows and PowerApps will be prevented from sharing data between services in different groups. However, data can be shared between services within a specific group. For example, if you classify SharePoint and Office 365 Outlook into the Business data only group and all other services, such as Twitter and Facebook, into the No business data allowed group, the users of your environment can create a Flow that uses SharePoint and Office 365 Outlook, but they cannot create one that uses SharePoint and Twitter.

How do I create a DLP policy?

Let’s imagine I want to create a policy for the Marketing department at Contoso. I’ll head over to the Flow Admin Center and create a new environment in the Environments tab, called Contoso Marketing. I’ll also add members of the Marketing team as Makers in this environment. 

Once my environment is provisioned, I’ll proceed to the Data Policies tab to create a new policy for this environment.

In the Applies To tab, I’ll select the Contoso Marketing environment and click Continue.

In the Data Groups tab, I’m going to move all business-critical services to the Business data only group and leave all other services in the default No business data allowed group. For example, I’ll move SharePoint, One Drive for Business, Dynamics CRM Online, Office 365 Outlook, and Office 365 Users to the Business data only group while leaving all other services in the other group. Once I’m done with my changes, I’ll save the policy. After a policy is saved, it immediately applies to all users in that environment.

What do my users see?

As a user in the Contoso Marketing environment, when I try to save a Flow that uses SharePoint as a trigger and Twitter as an action, my Flow is immediately suspended.

We know securing data is important so we invite you to try out this new experience and share your feedback with us, either using the comments below or through the Flow Community forums.