Previously known issue
https://learn.microsoft.com/en-us/power-automate/create-child-flows#known-issues
“If you block the HTTP Request connector via data loss prevention (DLP), child flows are also blocked because child flows are implemented using the HTTP connector. Work is underway to separate DLP enforcement for child flows so that they are treated like other cloud flows.”
Objective
As Power Platform admin, I want to be able to block HTTP connectors via DLP policy (if required) without breaking core platform functionality.
Therefore, I will test the following functionality is working as described in the documentation below on the DEV tenant:
“Enable the enforcement of DLP policies to include child flows
Enabled for | Public preview | Early access | General availability |
Admins, makers, marketers, or analysts, automatically | Feb 20, 2023 | – | Apr 10, 2023 |
Currently, data loss prevention (DLP) policies aren’t enforced into child flows. Because of this, admins can block the HTTP connector if they want to block child flows. Unfortunately, this has the side effect of also blocking child flows if the HTTP connector needs to be blocked for some other reason.
With this feature, DLP policy enforcement includes child flows. If a violation is found anywhere in the flow tree, the parent flow is suspended. After the child flow is edited and saved to remove the violation, the parent flows can be resaved or reactivated to run the DLP policy evaluation again.
This feature will roll out slowly using the DLP change process with design-time and full enforcement stages. A change to no longer block child flows when the HTTP connector is blocked will roll out with full enforcement of DLP policies on child flows when this feature reaches generally availability.”
Testing Setup
On the TEST tenant for the test environment do the following:
Setup for Scenario 1
On the Test environment create a Http triggered Flow. And Http Action Flow.
Save and run to confirm the Flow is working.
Setup for Scenario 2
On the test environment create a manually triggered Flow.
Save and run to confirm the Flow is working.
Setup for Scenario 3
On the test environment create a child Flow. Create a parent Flow to trigger the child Flow.
Save and run to confirm the parent Flow and a child Flow are working.
Setup for Scenario 4
On the test environment create an app that triggers Flow. Check the Flow and the app are working.
Apply a new DLP policy.
1) Exclude the environment from the tenant policy
2) Create DLP for the test environment blocking HTTP connectors
Scenario 1
On the test environment run Http triggered Flow. Confirm the policy applies to the Flow.
Test Result
PASS
Scenario 2
On the test environment run manually triggered Flow.
Confirm the policy doesn’t break the Flow.
Test Result
PASS
Scenario 3
On the test environment run a parent Flow to trigger the child Flow.
Confirm the policy doesn’t break the parent Flow and a child Flow.
Test Result
PASS
Scenario 4
On the test environment run an app that triggers Flow. Check the policy doesn’t break the Flow or the app.
Test Result
PASS
Summary
As we could see from the testing results, blocking HTTP connectors via DLP policy doesn’t lead to child Flows, manually triggered Flows or Power App triggered Flows breaking.
Before applying the change to your PROD environments run the tests on non-PROD environments confirming it works for your tenant.
Olena 🙂
1 thought on “Power Platform DLP Policy: blocking HTTP connectors won’t impact child Flows”