In our company the access to Flow and PowerApps websites are blocked because at the moment it is not possible to make data policies that disable certain connectors. We know it is possible to isolate a connector by using Data Groups, but this becomes unmanageable, and even then, a connector is not blocked, and can still be used.
Also, our comany does not want their company environment to be used to create/host "personal flows (no business data allowed)".
Will there be a possiblility to completely block specific connectors from being used via a data policy?
Microsoft Flow is a fully public cloud service, and everyone in the world can sign up and use it to automate their day-to-day tasks. To use Microsoft Flow there is no requirements that users have or use an Office 365 account. Because of this, there’s no mechanism at this time for you to block another person from using Flow (as everyone in the world can, irrespective of their email address).
However, if a person signs up for Microsoft Flow, and you choose to not support them inside of your organization, they can in no way incur costs to your company. When an individual signs up for Microsoft Flow, the relationship is between that individual and Microsoft, which is like many other cloud services from Microsoft such as Bing, Wunderlist, OneDrive, or Outlook.com. An individual's use of Microsoft Flow does not in any way imply that the service is provided by your organization.
Finally, if your company wishes to restrict the use of organizational-only data inside of Microsoft Flow, that is possible through Data loss prevention (DLP) policies.
Thank you for your response.
We are using Office 365 and SharePoint in our company. Microsoft made announcements that Sharepoint designer and InfoPath are no longer the prefered tools for this environment, and buttons to Flow and PowerApps start replacing the existing workflows and "edit properties" screens in SharePoint. However, as long as the current DLP rules are limited to "company data only" and "no company data allowed", those tools do not pass our company complience policies and need to be blocked completely. This is affecting the user experience in a negative way.
We already countered the fact that Flow and PowerApps are publicly available by disabling cross tenant access to our tenant. If we didn't do this, users would be able to connect to our tenant from any other tenant or free microsoft account and ignore any DLP rules we set up in our tenant.
We're also looking for something similar.
We would like to avoid any data breach and we have only a few connectors that can be on the white list. Here, the data group policies don't block any. This is restricting the fact we can't have two conections from differents groups on the same app... but not enough at all.
It would be nice to have such as in Teams, the possibility to remove "3rd party" connectors and even more, being able to define the connectors we can white or black list!
This cannot be done by ourselves. We created a service request for Microsoft. We used our premier contract, but I suppose you can also use the service request functionality in the admin center.
Simon, just so I understand you put in a request to have a connector blocked and Microsoft was able to do this on the back end? I have put in multiple requests to have this done and can't get any traction on this issue. If you were able to accomplish this, is there any chance you could share the case number so I can reference it?
@msmith you can restrict using https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tenant-restrictions. I tested this approach using fiddler rules and it works prefectly fine.
We created a UserVoice for solving this problem:
Continue your learning in our online communities.
Features releasing from October 2019 through March 2020
Coming to a city near you
Fill out a quick form to claim your user group badge now!
Connect, share, and learn with your peers year-round
Register by September 5 to save $200