The Most Important Setting in Your Power Platform
david wyatt
Posted on October 7, 2024
Delving into the tenant admin settings of the Power Platform can be a little daunting.
They are (probably) all important in their own way, but theres one that is really really important, and of course Microsoft turns if off by default.
And that is, drum roll.....
Its Tenant Isolation, and its not even in the tenant settings, its in the new security dashboard.
So what is tenant isolation and why is it so important?
What is it
In a nut shell Tenant isolation links your Microsoft's connectors to your Power Platform.
It has 2 areas, inbound and outbound.
Outbound
As you may have guessed, this stops outbound access to other tenants. So as example you can't sign into a Outlook 365 account from another tenant/company within your Power Platform.
If you try and create a connection you get the following error:
Note you can whitelist tenants that you do want to allow.
Inbound
So if outbound stops you accessing external tenants, inbound stops external Power Platforms from accessing your tenant. This means if another tenants Power Platform tries to create a connection with your tenant it would be blocked.
If you create the connection in the external Power Platform you get the below error:
Again you can whitelist tenants that you do want to allow.
Why is it Important
So now for the million dollar question, why does it matter? Well do you have DLP policies, do you want to protect your data? Hopefully both answers are yes, so let me explain.
DLP Policy
Your DLP policy stops certain connectors either working or working together, as an example you may:
- Want to stop Google Drive working with SharePoint: to stop data leaving your controls
- Block AI or Not: until you have a data agreement
- Block certain urls from Custom Connector/HTTP action
But those DLP are locked at your Tenant/Environment, so if you did not have inbound controls on one of your users could:
- Spin up a Microsoft dev tenant (https://developer.microsoft.com/)
- Set the DLP to fully open (its your tenant so you have full global admin rights)
- Sign in to their work tenant
- Add blocked/incompatible connectors
- Run the flow
By adding inbound controls you in theory expand your DLP beyond your Power Platform to all Power Platforms, blocking access to your Microsoft's tenant api's like Graph api.
Data Extraction
Protecting data is key to every organisation, with multiple controls setup like conditional access to stop data moving out of their systems/control. And this is where tenant isolation outbound controls are key. Just imaging you want to extract key data from SharePoint (good old SharePoint, always causing trouble with sensitive data that shouldn't really be there 😎) Without any tenant isolation outbound controls its easy to transfer all the data out automatically.
All they would need to do is:
In a flow sign into SharePoint with their work account to list the data. Then sign into SharePoint again with another tenant (this time an add row action). They can then transfer the data from one SharePoint list in one tenant to another list in another tenant. They can then do the same DLP bypass if they need to or whatever they want with the data.
And just to make it super easy, the flow could be triggered on data add/modified, ensuring that the extracted data is as good as live data.
Hopefully everyone has this setting turned on, and if you don't please turn it on.
Quick call out, from my experience outbound connections already made do not get retrospectively blocked if you turn on Tenant Isolation. And I haven't seen a way to track outbound connections that have been created (and obviously even less likely to see what's in someone else's Power Platform).
Posted on October 7, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.