cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Frequent Visitor

If we whitelist all of MS Connector IPs, can MS limit O365 Environments able to target our systems?

Hello, 

 

We love PowerApps!  We'd like to use PowerApps as a front-end to manage some business processes, which include the collection of information we'd like to parse and pass into non-MS enterprise systems. 

 

I want to pass a CSV from a Doc Library out via MS Flow's SFTP action.  In working through our IT Sec and Ops Teams' evaluation processes, flags were raise that by whitelisting each of the Connector IP addresses listed here: https://docs.microsoft.com/en-us/flow/limits-and-config (which I have confirmed are hitting thier firewall) we would be exposing internal systems to potential targetting by any other O365 client's environment running in the United States Region.  (Yes, of course we are taking steps such as auth and SSH to secure any interactions with targetted systems, but the idea of bypassing the firewall for every MS Flow customer in the US didn't sit well with leadership.)

 

My first thought was that MS likely anticipated this concern, and might offer their clients the ability to define the environments from which an SFTP or other external reaching Connector can call to the IP of our external facing endpoint. This might not be the case, but I'm hoping someone can suggest a path toward mitigation of, or point to a mechanism negating, potential exposure of our system through whitelisting the IPs MS has defined.  

 

Also, how often is that list of IPs anticipated the change? In the absence of sharing FQDN there is a concern around maintenance requirements to ensure ongoing functionality.  There are around a dozen business processes where we'd like to use this functionality in the short term, with potentially many hundreds/thousands of transactions in a given day to various enterprise systems, and we've not had a solution with the potential of PowerApps to get excited about in the years since these needs were identified.  

 

Unfortunately, the security concern raised around this has resulted in each of those efforts going into a hard-freeze, unless an amicable solution can be reached.  We do have pretty much every nature of available support agreement with MS in place, and I'll happily sign-off on the commitment of those resources if MS or any other customer can tell me there is hope for a solution in that partnership. 

 

Thanks, 

 

Alex Alger

 

1 REPLY 1
Highlighted
Helper IV
Helper IV

Re: If we whitelist all of MS Connector IPs, can MS limit O365 Environments able to target our syste

I hope this link is helpful to you, your question is a bit complicated, I think you can ask for help directly from the Microsoft Flow product group.

https://docs.microsoft.com/en-us/flow/environments-overview-admin

Helpful resources

Announcements
firstImage

Super User Program Update

Three Super User rank tiers have been launched!

firstImage

Power Platform 2020 release wave 2 plan

Features releasing from October 2020 through March 2021

firstImage

New & Improved Power Automate Community Cookbook

We've updated and improved the layout and uploading format of the Power Automate Cookbook!

thirdimage

Power Automate Community User Group Member Badge

Fill out a quick form to claim your user group badge now!

Top Solution Authors
Users online (7,680)