One of Microsoft’s current goals is the expansion and accelerated adoption of its Power platform, so by now most of us are used to getting bombarded with marketing posts and sales pitches going on and on about the benefits of the platform, its ease of use, the greatness of the “citizen developer” and so on. Yet for years some very obvious governance, compliance and security concerns remain unaddressed or are being swept under the rug with half baked features that were meant to address them. I’ve ranted about this previously over at Practical 365, where we discussed how hard it is to prevent users from accessing Flow/Power Automate even when you have a valid reason for doing so, as well as how easy it is to bypass some of the “traditional” data exfiltration controls.
While for years we’ve had the DLP feature as part of the platform, yet it failed to address important scenarios such as using a single connector to both fetch and export data out of the tenant via a multiple connections. In addition some high-profile connectors weren’t covered by the DLP controls (still true, although the list is shorter now). And here is where the good news comes – Microsoft is now releasing a new set of controls to address some of these gaps. Dubbed Cross-tenant inbound and outbound restrictions, these new controls allow you to restrict any attempt at creating a connection via accounts belonging to other organizations, as well as restrict your own users from creating such connections outside of their “home” tenant. The bad news is that you currently need to open a support request in order to enable this functionality, so I’m not able to cover the process in details just yet.
Nevertheless, I believe this is a good step forward and one that should address at least some of the concerns of enterprise customers. And who knows, going forward we might actually see a shift in behavior on this front, with features being released with compliance and security in mind from the get go.