Overview
Power Platform allows users to rapidly build and rollout high-value applications by connecting across multiple data sources. However, if some of these applications are connected to external data sources, there is a potential risk for data leakage to services and unintended audiences.
Data Loss Prevention (DLP) Policies help keep your organisation’s data safe and secure. DLP Policies are applied to all environments at NHSmail and govern which data sources or services your application or flow can connect to.
Connectors and categorisation
A Data Loss Prevention (DLP) Policy is composed of a list of reviewed and categorised connectors.
A connector is a potential data connection point in the Microsoft Power Platform – some examples of connectors are SQL Server, Dataverse (formerly Common Data Service), Twitter, etc. Visit the Microsoft website for a full list of supported connectors.
The DLP Policy categorises connectors into one of the following data groups:
- Business – connectors which host business-use data
- Non-Business – connectors which host personal-use data or unsanctioned connectors
- Blocked – restrict usage of Connector across one or more environments
Data can only be shared among services/connectors within the same data group. For example, a connector in the Business category will share data with another connector in the Business category, thus allowing data flow between the two services/connectors in Microsoft Power Platform.
However, data cannot be shared among connectors in different groups. For example, a connector in the Business category will not share data with a connector in the Non-Business category and this will cause an error message.
NHSmail DLP Policies
NHSmail has two DLP policies which have been configured for different use cases:
Basic DLP Policy
The Basic DLP Policy is configured to allow the average Power Platform user to implement basic workflows. This policy should be applied to environments where the organisation’s users:
- Pull business data from standard Microsoft connectors (i.e. SQL Server, Excel, SharePoint).
- Need access to the Dataverse (formerly Common Data Service)
- Do not connect to data in the Azure Cloud ecosystem.
The business connectors in the Basic DLP Policy are outlined below. All remaining connectors that are not listed below are classified as non-business. No connectors have been blocked in the Basic DLP Policy.
List of Business Connectors (all remaining connectors classified as Non-Business) |
|
. Approvals · Dynamics 365 for Fin & Ops · Excel Online (Business) · Excel Online (OneDrive) . Microsoft Dataverse · Microsoft Dataverse(legacy) · Microsoft Defender ATP · Microsoft Forms · Microsoft StaffHub · Microsoft Teams · Microsoft To-Do (Business) · Muhimbi PDF · Notifications · Office 365 Groups · Office 365 Outlook · Office 365 Users · Office 365 Video · OneDrive for Business · OneNote (Business) |
· Oracle Database · Planner · Power Apps for Admins · Power Apps for Makers · Power Apps Notification · Power Automate for Admins · Power BI · Power Platform for Admins · Project Online · RSS · ServiceNow · SharePoint · Shifts for teams · SMTP · SQL Server · Word Online (Business) · Yammer |
Advanced DLP Policy
The Advanced DLP Policy caters for more complex development. This policy should be applied to environments where the organisation’s users:
- Pull business data from more complex connectors (i.e. Azure Datalake, Azure Comos DB)
- Need access to the Dataverse (formerly Common Data Service)
- Connect to data in Azure Cloud ecosystem
The business connectors in the Advanced DLP Policy are outlined in the table below. All remaining connectors that are not listed below are classified as Non-Business. No connectors have been blocked in the Advanced DLP Policy.
List of Business connectors (all remaining connectors classified as Non-Business) |
|
· Azure AD Identity Protection · Azure App Service · Azure Application Insights · Azure Automation · Azure Blob Storage · Azure Communication Services SMS · Azure Container Instance · Azure Cosmos DB · Azure Data Explorer · Azure Data Factory · Azure Data Lake · Azure DevOps · Azure Event Grid · Azure Event Grid Publish · Azure File Storage · Azure Key Vault · Azure Log Analytics Data Collector · Azure Monitor Logs · Azure Queues · Azure Resource Manager · Azure SQL Data Warehouse · Azure Table Storage · Azure VM · Azure IoT Central V2 · Azure Iot Central V3 · Approvals · Dynamics 365 Customer Insights Co · Dynamics 365 Customer Voice · Dynamics 365 for Fin & Ops · Dynamics 365 Sales Insights · Excel Online (Business) · Excel Online (OneDrive) |
· HTTP (https://www.gov.uk/bank-holidays.json) · Microsoft Bookings · Microsoft Dataverse · Microsoft Dataverse (legacy) · Microsoft Defender ATP · Microsoft Forms · Microsoft StaffHub · Microsoft Teams · Microsoft To-Do (Business) · Muhimbi PDF · Notifications · Office 365 Groups · Office 365 Outlook · Office 365 Users · Office 365 Video · OneDrive for Business · OneNote (Business) · Oracle Database · Planner · Power Apps for Admins · Power Apps for Makers · Power Apps Notification · Power Automate for Admins · Power BI · Power Platform for Admins · Project Online · RSS · ServiceNow · SharePoint · Shifts for teams · SMTP · SQL Server . Word Online (Business) · Yammer |
Basic and Advanced DLP policies have been configured so that they contain the same core list of connectors within the “Business” data group. However, the Advanced DLP Policy contains all Basic DLP Policies “Business” connectors with the addition of:
- All Azure Cloud connectors
- Dataverse including Microsoft Dataverse connectors
- Three additional Customer-focussed Dynamics connectors
- Dynamics 365 Customer Insights Co
- Dynamics 365 Customer Voice
- Dynamics 365 Sales Insights
Requesting a DLP Policy for your new environment
When submitting a request to create a new environment, a user will be able to choose between the Basic or Advanced DLP Policy to apply to the environment.
These policies have been configured to capture most use cases for Power Platform. Please make sure that you have read and understood the above information on DLP policies before selecting either policy.
To find out more about creating an environment, please see the support documentation Power Platform Environments.
DLP Policy requests
Request to change DLP Policy
It is possible to change the policy applied on an environment at any point in time. However, it should be noted that a change in DLP Policy may impact the applications and/or flows that exist in that environment.
Specifically, any connectors that are used in an environment’s applications and/or flows that change in data group classification (i.e.: move from Business to Non-Business) will no longer work.
Follow the steps outlined below to request a change to DLP Policy:
1. Visit the NHSmail Helpdesk Self-Service page and navigate to ‘Power Platform Request’. Select the category ‘Change a Data Loss Prevention (DLP) Policy’ and input the information requested in the form
2. The NHSmail Helpdesk will review your request and change the DLP Policy for your environment
3. You can view the status of your request by following the instructions in Viewing tickets & updates
4. Once your ticket is complete, you will receive a confirmation email notifying you that the ticket has been closed
DLP Policy exception requests
In exceptional circumstances, a request can be submitted for an exception DLP Policy.
Please note that exception requests are reviewed on a case-by-cases basis and require an accompanying business case.
Requests to amend or create a new DLP policy can be submitted via the NHSmail Helpdesk Self-Service page.
Note prior to submitting the request please ensure that you have completed the following steps:
- A Power Platform environment request is in progress or your environment already exists
- You have read and understood the documentation on the NHSmail DLP Policies and list of approved connectors
- You have a business case for any additional connectors and a full list of the connectors required
The following steps outline the process to request an exception.
1. Visit the NHSmail Helpdesk Self-Service page and navigate to ‘Power Platform Request’. Select the category ‘Request a Data Loss Prevention (DLP) Policy exception’ and input the information requested in the form
2. Once submitted, the request will be reviewed by NHSmail Technical Architects. In some cases, additional information may be required to assess the request
3. You can view the status of your request by following the instructions in Viewing tickets & updates
4. Once finalised the decision will either be approved or denied and either outcome will be updated on the ticket and subsequently closed
Last Reviewed Date | 19/04/2023 |