cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
AlexAlger
Level: Powered On

If we whitelist all of MS Connector IPs, can MS limit O365 Environments able to target our systems?

Hello, 

 

We love PowerApps!  We'd like to use PowerApps as a front-end to manage some business processes, which include the collection of information we'd like to parse and pass into non-MS enterprise systems. 

 

I want to pass a CSV from a Doc Library out via MS Flow's SFTP action.  In working through our IT Sec and Ops Teams' evaluation processes, flags were raise that by whitelisting each of the Connector IP addresses listed here: https://docs.microsoft.com/en-us/flow/limits-and-config (which I have confirmed are hitting thier firewall) we would be exposing internal systems to potential targetting by any other O365 client's environment running in the United States Region.  (Yes, of course we are taking steps such as auth and SSH to secure any interactions with targetted systems, but the idea of bypassing the firewall for every MS Flow customer in the US didn't sit well with leadership.)

 

My first thought was that MS likely anticipated this concern, and might offer their clients the ability to define the environments from which an SFTP or other external reaching Connector can call to the IP of our external facing endpoint. This might not be the case, but I'm hoping someone can suggest a path toward mitigation of, or point to a mechanism negating, potential exposure of our system through whitelisting the IPs MS has defined.  

 

Also, how often is that list of IPs anticipated the change? In the absence of sharing FQDN there is a concern around maintenance requirements to ensure ongoing functionality.  There are around a dozen business processes where we'd like to use this functionality in the short term, with potentially many hundreds/thousands of transactions in a given day to various enterprise systems, and we've not had a solution with the potential of PowerApps to get excited about in the years since these needs were identified.  

 

Unfortunately, the security concern raised around this has resulted in each of those efforts going into a hard-freeze, unless an amicable solution can be reached.  We do have pretty much every nature of available support agreement with MS in place, and I'll happily sign-off on the commitment of those resources if MS or any other customer can tell me there is hope for a solution in that partnership. 

 

Thanks, 

 

Alex Alger

 

1 REPLY 1
tfhegdbn
Level: Powered On

Re: If we whitelist all of MS Connector IPs, can MS limit O365 Environments able to target our syste

I hope this link is helpful to you, your question is a bit complicated, I think you can ask for help directly from the Microsoft Flow product group.

https://docs.microsoft.com/en-us/flow/environments-overview-admin

Helpful resources

Announcements
thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

firstImage

Incoming: New and improved badges!

We've given our badges an overhaul and also added some brand new ones!

fifthimage

Microsoft Learn

Learn how to build the business apps that you need.

sixthImage

Power Platform World Tour

Find out where you can attend!

seventhimage

Webinars & Video Gallery

Watch & learn from the Power Automate Community Video Gallery!

Top Kudoed Authors (Last 30 Days)
Users online (5,053)