Power Platform – Update to Add-CustomConnectorToPolicy data loss prevention (DLP) PowerShell cmdlet

Effective December, 2020, data loss prevention (DLP) policies’ Powershell cmdlet Add-CustomConnectorToPolicy will no longer support the addition of custom connectors to tenant level policies. Additionally, custom connectors added to tenant level policies will not be shown on the data loss prevention page (DLP UI) in the Power Platform admin center.

What are data loss prevention policies?
Your organization’s data is likely one of the most important assets you are responsible for safeguarding as an administrator. Power Apps and Power Automate allow the rapid build and rollout of high value applications that allow users to measure and act on the data in real time. Users often have good intentions but might overlook the potential for exposure from data leakage to services and audiences that shouldn’t have access to the data. Data loss prevention (DLP) policies enforce rules of what connectors can be used together by classifying connectors as either Business Data only or No Business Data allowed. Simply, if you put a connector in the business data only group, it can only be used with other connectors from that group in the same app. Please see this article for further information on DLP.

What specifically is changing?
Effective December, 2020, the Powershell cmdlet Add-CustomConnectorToPolicy will no longer support the addition of custom connectors to tenant level policies.

Legacy policies that were created with this feature will continue to function, however custom connectors added from the PowerShell cmdlet will not appear show on the Power Platform admin center user interface for tenant level policies. This cmdlet will be deprecated in Q1 2021, and environment admins should begin migrating to the data loss prevention cmdlets New-DlpPolicy, Get-DlpPolicy, Set-DlpPolicy and Remove-DlpPolicy to create and manage DLP policies with all types of connectors including custom connectors.

How can you manage custom connectors after this change?
If you were leveraging this gap as a by-design method to manage the DLP policies, then you can switch to using environment level DLP policies to manage custom connectors. We recommend keeping tenant level policies in place and copy these settings to environment level policies, then add custom connector classification as an add-on setting using the same PowerShell cmdlet along with the environment name as a parameter.