Hi,
I'm trying to find out if it is possible to block certain actions in Power Automate Desktop for a whole PC.
DLP policies for Power Automate Desktop are currently in public preview. If I log in to my work account with Power Automate Desktop the policy is being enforced.
But if I can still sign in to PA Desktop with my private MS account, in which case the policy is not enforced. So we have the potential problem that DLP policies are not enforceable for all users, since users can simply create a private MS account and log into Power Automate Desktop with that account. Afterwards they will still have access to all resources on the machine, but without a DLP in place.
Is there a way to enforce the DLP policy for all flows on a computer and not only for the signed in user?
Best Regards
Solved! Go to Solution.
Those DLP polices are stored in your Power Platform environment. When a Microsoft account logs in to Power Automate Desktop then don't have access to the Power Platform environments in your tenant. Their flows are stored in consumer OneDrive (not OneDrive for Business). That's why the policies don't apply. However there is a registry key that can be set on a machine that prevents people from logging in to PAD with a Microsoft account. In that way the DLP policy will always apply. You can read about it here: Governance in Power Automate - Power Automate | Microsoft Docs
Those DLP polices are stored in your Power Platform environment. When a Microsoft account logs in to Power Automate Desktop then don't have access to the Power Platform environments in your tenant. Their flows are stored in consumer OneDrive (not OneDrive for Business). That's why the policies don't apply. However there is a registry key that can be set on a machine that prevents people from logging in to PAD with a Microsoft account. In that way the DLP policy will always apply. You can read about it here: Governance in Power Automate - Power Automate | Microsoft Docs
Hi @Pstork1 ,
thanks for the answer. Just for clarification: If I set that registry key, users cannot sign in to PAD with the private MS account, but they can still sign in with their work or school account. Is that correct?
Correct. That registry key just blocks users from logging in with MS accounts, not Organizational accounts. The registry key would need to be set on each machine. That can normally be done using Group policies in your Domain.