I created DLP Policy that only applies to a single environment, [Europe (Trial)], named "Policy 12:02:24 09-21-2018"
The policy has only two connectors defined in the Business data only group:
Office 365 Users
The policy has all other connectors defined in the No Business data group.
After creating the policy, it appeared on the Flow Admin > Data Loss Prevention Policies page and the settings were still intact -- only apply the policy to the EU Trial environment with Planner and Office 365 Users listed as the only connections in the Business Data Only group.
The environment already had four connectors setup prior to the creation of the policy, but were not being used by any flows. Here is a list of the connectors all displaying a status of "Connected":
OneDrive for Business
Office 365 Users
I decided to create the data loss prevention policy to only target 2 of the 4 established connectors to test the functionality and learn how the policy conflict would surface in the Flow Admin and regular Flow UI. This allows me to understand the Administrator and end-user experience when a connector was in conflict with a DLP policy.
I did not see any indication on the Connectors page for the EU Trial environment, which was expected because the documentation only mentioned that the conflict would be displayed on an individual Flow.
Since I did not have any flows defined, I would also be able to see how a conflict is handled when creating a new flow that had a connector already in the "Connected" state, OneDrive for Business, and setting up a brand new Connector, Office 365 Outlook. Both of the connectors are defined in the No Business Data Only group for the EU Trial Environment.
I created a new Flow from the Template: "Save Office 365 email attachments to OneDrive for Business" in the EU Trial environment after the policy was already created. This template was perfect because it used the 2 connectors in conflict with the DLP policy as they are not included in the Business data only group.
I did not see any visual indication that the flow was in conflict, though it did take a bit longer to create than usual. Since I did not see any notification that the Flow was suspended, I decided to run the Flow using the Test feature displayed in the Flow Editor and initiate the trigger action myself by sending an email with an attachment. I thought that the Flow execution engine would check at runtime to ensure that the connectors defined in the Flow were in the Business Data Only group and fail the Flow if a conflict was detected then place the flow in a "Suspended" state.
The data loss prevention policies did not kick in and block the Flow from accessing Business Data using Connectors that were defined in the No Business data group. The flow ran successfully and accessed Outlook email and OneDrive for Business. No indication of the connectors being in conflict with the DLP policy and the access to business data was not blocked in the EU environment.
The documentation about when the policy takes effect is ambiguous. There is a mention of a delay after creating a policy that it might take a few mintues to appear on the Flow Admin page which makes me believe that once it appears, it is in effect. The policy appeared quickly after I created it, within a few seconds.
It would be great if there was an indication on the Connectors page for an environment about a conflict with a DLP policy, possibly in the Status column.
On the Flow Admin Page, it would be have a feature that tests the Policy and generates a report of Flows and Connectors that are in conflict. Similar to the wizards for Group Policy or the New DLP Policy in the Security and Compliance Admin center.
Is there more information on how DLP policies are handled for Trial environments and what to expect about when the DLP policy takes effect?
How are DLP Policies given priority? If only DLP policy applies to all environments and another only applies to specific environments which takes precendence? It might be nice to include a Priority weighting on DLP Policies in Flow Environments.
Are there any audit events visibile in the Office 365 admin logs for Flow Environment changes and DLP policy changes? It would be great to have ability similar to Resource Locks on Flow Environments and DLP policies similar to Azure that can be access controlled with a specific role.