Managing Custom Connectors in Data Loss Prevention Policies

Data Loss Prevention (DLP) policies are an important line of defense when trying to prevent data leakage in your organization. By default, custom connectors do not show up in the DLP editor experience found in the Power Automate Admin center.

However, from a DLP perspective, it is important to understand that Custom connectors are added to the default data group in DLP policies, but the connectors are not visible in the DLP editor experience. This creates some challenges for organizations as the No business data allowed data group is usually the default data group. When a custom connector lands in this data group, it means that it can not be used in the same flow that is using connectors from the Business data only data group.

While we cannot change this default behavior in the DLP editor, we can use Powershell to add our custom connectors to a DLP policy which will subsequently let us manage them using the DLP editor. To achieve this, we need to use the Microsoft Power Apps and Power Automate Powershell Cmdlets. The specific cmdlet that we will use is called Add-CustomConnectorToPolicy.

There are a couple parameters that require additional look-ups including PolicyName, ConnectorName and ConnectorId.

Our PolicyName can be obtained by calling the Get-AdminDlpPolicy cmdlet and identifying the PolicyName attribute for our the DLP policy that we want to add our custom connector to.

We now need to do something similar for our custom connector by calling the Get-AdminPowerAppConnector cmdlet. Here we will find both our ConnectorName and ConnectorId values.

The other two parameters that we need to include in our Add-CustomConnectorToPolicy cmdlet call include:

• GroupName: Where we need to provide a value of hbi if we want our connector to be added to the Business data only data group. If we want our custom connector to be added to our No business data allowed data group, then we need to provide a value of lbi.
• ConnectorType: Here we need to provide a value of Microsoft.PowerApps/apis.

Once we have issued our Add-CustomConnectorToPolicy we will now be able to manage our custom connector in our DLP editor.

Conclusion

If an organization is going to spend the time and resources to build a custom connector, they should be interested in managing this connector in DLP polices. While we can’t directly manage custom connectors in the out-of-box DLP policy editor experience, we can do so once we add them using the Powershell cmdlets provided by Microsoft.