That’s a bit of a click bait title isn’t it? But it is accurate based on what I learnt this week. Is your DLP working? Do you think you have secured your environment?
Let me roll this back a bit. DLP or Data Loss Prevention policies, can prevent users from using connections from unapproved sources, this can be to pull or push data outside of your tenant. Ensuring you have a good DLP is key to the security of your Power Platform environments. Often times, you could have multiple DLP’s covering different environments, so you need to maintain different ones, tweak them when new requests come in for new requirements etc etc.
DLP’s are great, that stop Power Apps and Power Automate Flows from connecting to different sources and the users are usually made aware at run time if something will not work. But they don’t apply to Power Virtual Agent bots….by default.
But wait, if I want to go and get other information from other sources, I use Power Automate and that would be covered under the DLP I create. Yes, they do, however, there are a couple of features in PVA which do get restricted by DLP’s, authenticated access is one, access to Skills is another.
When creating a bot, you often want to ensure it can only be deployed and used in an secure manor, however there is an option for “No Authentication” when configuring your bot. If you select this option, you can deploy the bot anywhere and anyone can access it. If you’ve configured it to retrieve sensitive information from inside your network, this could lead to data breaches.
There is a DLP setting to disable “No Authentication”, called “Chat without Azure AD Authentication in Power Virtual Agents”. You can also see the other areas you can configure in the screenshot below.
Setting this to Blocked should disable you to be able to use these features…but it doesn’t. There is another setting you need to turn on first.
Power Virtual Agents has it’s own DLP section in the Learn Docs, and if you aren’t aware of this, you would think your DLP settings would be working, however, DLP for PVA is OFF by default! Yes, OFF by default, you actually need to turn it on to cover your PVA bots.
The documentation here shows the PowerShell script you need to run to turn it on. You can first check if the DLP is already enabled with:Get-PowerVirtualAgentsDlpEnforcement -TenantId <tenant ID>
You can turn the setting on with the below PS and even set a date if you want to exclude bots from before a certain date.Set-PowerVirtualAgentsDlpEnforcement -TenantId <tenant ID> -Mode Enabled -OnlyForBotsCreatedAfter <date>
There are other scripts in the doc to turn DLP enforcement on or off, do a soft turn on and exclude certain bots.
Once this is turned on, you can prevent users from creating bots with no authentication and block any of the other actions in the DLP policies you configured.
Ciao for now!
Matt
About the Author
I’m a D365 and Power Platform enthusiast. An avid learning and teacher, I’ve been delivering full cross platform solutions for the last 5 years in the UK and Europe.
References
Collins, M., (2023), ‘Is your DLP working?’, available at: https://www.mattcollinsjones.co.uk/single-post/is-your-dlp-working, [accessed 26th March 2024]