TenantA has a DLP with SharePoint in "Business Data Only". This means that users in TenantA cannot email content from SharePont via Flow. This is good.
TenantA creates an account for a consultant, Sam. Sam also has an account in a TenantB. Sam creates a flow in his TenantB that connects to SharePoint in TenantA, which emails content from SharePoint. Sam's Flow wouldn't be subject to the DLP, because the Flow is running in TenantB.
We also have a separate tenant for developers for them to build/test. They're in charge of that tenant, and so they can also ignore any DLP policies in the main tenant, right?
So, what do we actually accomplish by configuring DLP? Is there a way for admins to block users from emailing business data, or posting it to Twitter, via flow?
Thanks for your feedback. A DLP is applied to one or more environments which are created by a tenant. The DLP takes effect in one or more environments which are created by a tenant. The DLP is created in TenantA is not effective in TenantB.
More details about Data Loss Prevention Policies, please check the following document:
So is this a bug in the software, or does the documentation need to be udpated? According to the docs:
"Benefits of a DLP policy Ensures that data is managed in a uniform manner across the organization Prevents important business data from being accidentally published to services such as social media sites."
But because of the issue I pointed out with tenants, these benefits don't actually exist.