DLP: testing out HTTP connector endpoints

We have a couple of flows running in the Default environment that are using HTTP connector. We are currently in a process of tightening up our DLP policies and one task is to remove HTTP connector from Business category to prevent data leakage.

However, some of the flow using currently HTTP connector are currently in active production use and we can’t make this desired configuration change until the flows are moved over to another more permissive environment. Therefore we have decided to let the flows running in the default environment, but instead configure the HTTP connector endpoints so that only specific endpoints are allowed.

Before jumping into our company Default environment and modifying its DLP policy straight away, I want to try out this endpoint configuration feature first.

Step #1: Create a flow that uses HTTP connector

I created a simple flow that is manually triggered and makes an HTTP GET call to https://graph.microsoft.com/v1.0/subscribedSkus (which is actually one of the endpoints our flows are using)

Why am I using Office 365 Outlook Send an email action as well? That is because I want to have two connectors used in my flow which I will later configure to belong into two different DLP categories…

Without having any DLP policies applied to my development environment I am able to run the flow successfully.

Step #2: Create DLP policy that has both connectors in Business category

Next I am creating a new DLP policy and applying to my development environment.

Now that the both connectors I am using belong to the same category (Business), the flow should be able to run without problems. And it does.

Step #3: Move Office 365 Outlook connector to Non-business category

Next I will move Office 365 Outlook connector to Non-business category. After this operation the flow should fail, because it is not allowed to use connectors in different categories in the same Power Automate flow (or Power Apps app).

After updating the policy and running the flow…

I am getting an error in the Flow checker quite soon after the policy change:

However, I am still able to start the flow and it is successfully run. This is due to the delay in how DLP policies are applied. After a certain time (took about 30 minutes) the flow is correctly suspended as it violates the policy:

Step #4: Move Office 365 Outlook connector back to Business category and adjust connector endpoints to deny all

Now we are moving back to setup in Step #2 with one exception – we’ll configure HTTP connector endpoints so that all URL’s are denied.

Switch the Action from Allow to Deny.

Now, when trying to turn the flow back on, we get a different error message:

Things are working as expected so far.

Step #5: Allow the desired endpoint only

Next I will configure the DLP policy so, that it allows HTTP requests only to endpoint https://graph.microsoft.com/v1.0/subscribedSkus.

Now the status of the Power Automate flow is changed to On and the flow is able run successfully.

Step #6: Adding a blocked HTTP request

To double check the functionality, I tried adding another HTTP call to a blocked URL.

And, as expected, the flow was automatically turned of with an appropriate error message.

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s