Use Flow for directional data governance

  • 12 minutes

In some business situations, data may come from outside sources through connectors and enter services that also hold your important business information. Typically, these connectors communicate with each other. The challenge with Data Loss Prevention (DLP) policies is ensuring that the connectors only communicate in one direction, preventing your valuable business data from accidentally being sent to a third party. Managing the flow of data to ensure it only goes where it's supposed to be called directional data governance.

Currently, DLP policies don't automatically handle directional data governance. But you can use Power Automate can intercept and stop any flows from sending your business data to third parties.

Here's an example: Suppose your organization wants to use SharePoint to keep track of X (formerly Twitter) posts. Without controls in place, your business information could flow from SharePoint to X.

To ensure data only moves in the right direction (from X to your SharePoint), follow these steps:

  1. Create a DLP policy from the Power Platform admin center to include the SharePoint and X connectors in the Business data group. This allows makers to build flows using both of these connectors.

    Screenshot of Microsoft Power Platform Admin center Data policies page on the Assign connectors step showing X and SharePoint connectors.

  2. Next, sign in to the Power Automate Maker Portal using your administrator account to build a governance flow. You build a scheduled flow that runs every hour.

  3. From the Home screen's left side menu, select +Create, and then select Scheduled cloud flow. Give your flow a Flow name, a start date and time, and repetition of every 1 hour; then select Create.

    Screenshot of Build a scheduled flow with Flow name set to Detect X Actions.

    A Recurrence trigger will automatically be added to your flow.

  4. Next, you create a variable that calculates the number of "ticks" from 60 minutes ago to now. (A tick is a small unit of time.) You use the variable from this step later in the flow, to see if any flows have been created or modified since your flow last ran 60 minutes ago.

  5. Select the + sign under the Recurrence trigger, and the Add an action menu will appear. In Search enter Initialize variable and scroll down through the results to find the Initialize variable action. (It is in the Variable actions.)

  6. Select the title Initialize variable and rename the action Initialize Variable - Timestamp Hour Ago. In Name, name it previousTimestamp. In Type, select Integer. Place your cursor in the Value field, and you see the option to select either a lightning bolt (to add dynamic content from a previous step) or fx (to add an expression). You're going to enter an expression, so select fx.

    Enter this formula ticks(addMinutes(utcNow(),-60)), and then select Add.

    Screenshot of Power Automate My flows page with the Initialize variable action's Value property with the ticks formula highlighted.

    Next, you create another variable. You use this variable later in your flow to detect whether other flows include an X action.

  7. Select the + under the step you just created to add another action. Search for and add another Initialize variable action. Select the Initialize variable and change it to Initialize variable - Does flow contain X Action. In Name add isFlowAction, and change the Type to Boolean. Make false the default value by select false from the dropdown under Value. You use this variable later in your flow when you detect that a flow includes an X action.

    Screenshot of a second Initialize variable action called Does flow contain X action.

    Next, you get a list of Environments. You use this list of environments created in this step later in the flow to check each environment for flows that include X actions.

  8. Select the + under the step you created and search for List Environments as Admin; you find that action in the PowerPlatform for Admins connector. No need to change any of the parameters in this step.

    Screenshot of new PowerPlatform for Admins action with the List Environments as Admin option highlighted.

    After listing the environments, you'll now get a list of the flows in each environment.

  9. Select the + under the step you created and then search for List Flows as Admin (V2). (If there's a later version than V2, use the latest.) You find this action under the Power Automate Management connector.

    Screenshot of Choose an action step with Flow management and List Flows as Admin highlighted.

  10. The List Flows as Admin action requires the name of an environment as an input parameter. Place your cursor in the Environment field, and select Custom values from the dropdown. The lightning bolt and fx will appear again. This time you want to use the dynamic content that was generated in our List Environments as Admin step, so select the lightning bolt.

  11. You see a list of outputs that are available to use from the previous steps you created in your flow. Scroll down and find the List Environments as Admin step; from under this step select the Name column. When you provide this input, an Apply to each action will automatically be added that will iterate through all your environments.

    Screenshot of Apply to each action with List Flows as Admin with dynamic content Name.

You're only interested in exploring flows that were modified since the last time this flow ran, so you'll add a condition to your flow to compare the ticks from each flow's last modified timestamp to the Timestamp Hour Ago variable that you established earlier in this flow.

  1. To do this, you'll first calculate the ticks of your last modified timestamp. The complete statement is ticks(items('Apply_to_each_2')?['properties']?['lastModifiedTime']) is greater than previousTimestamp.

    Screenshot of condition with number of ticks greater than previous with If yes and If no options.

  2. When you detect that a flow has been modified within the past 60 minutes, you want to ensure that it doesn't belong to you, as administrator. This verification will help avoid an error when you try to add the administrator as co-owner of a flow in a future step.

    Use the Office 365 Users connector and the Get my profile (v2) action and add it to the If yes branch. This step returns information about the user who established a connection to the connector, which in this case is the administrator.

    Screenshot of Office 365 users in the If yes condition with the Get my profile action highlighted.

  3. Now, you add another condition that verifies whether the Creator object ID (from the List Flows as Admin action) is equal to ID (from the Get my profile (V2) action).

    In the If yes branch, add the Edit Flow Owner Role as Admin action that belongs to the Power Automate for Admins connector. You'll add your administrator as a co-owner of the flow and will help extract the flow definition, which requires you to be a co-owner of the flow.

    You retrieve the flow definition in an upcoming step, but for now, provide the current Environment Name and current Flow Name. Expand the Body/put section and add these details about your administrator user: email address, display name, and ID. These values are accessible in the dynamic content from your Get my profile (V2) action.

    Screenshot of EditFlow Owner Role as Admin with properties highlighted.

  4. After you have added your administrator account as a co-owner of the flow, you can call the Get Flow as Admin action from the Flow management connector.

    Screenshot of Flow management with Get Flow as Admin highlighted.

  5. The inputs to the Get Flow as Admin action includes the current Environment Name and Flow Name. The output of this action includes the flow definition that will allow you to determine if an X action exists.

    Screenshot of If yes condition with Get Flow as Admin added with Environment set to Name and Flow set to Flow Name.

  6. To check whether an X action is being used, add a condition to your flow and verify if the Action Api name (from the Get Flow as Admin action) is equal to shared_twitter. After you have added this condition, an Apply to each loop will be applied. This happens because the Action Api name attribute is part of an array because each flow can have many actions.

  7. Within the If yes branch, update your isFlowAction variable to be set to true because you have now found a flow that includes a Twitter action. You use this variable later in your flow to determine whether you need to disable a flow and send an email to the flow owner.

    Screenshot of Condition with If yes with Set variable - Twitter Action exists highlighted.

  8. Outside the Apply to each variable that allows you to iterate through all actions in your flow, add another condition. This condition verifies if the value of your isFlowAction variable is true.

    Screenshot of Condition 3 - Does Twitter action exist highlighted.

  9. In the If yes branch, add the Microsoft Flow for Admins connector and then select the Disable Flow as Admin action. This allows you to disable the flow so that information can't be sent to X. To call this action, include the current Environment Name and Flow Name.

    Screenshot of If yes containing Disable Flow as Admin with Environment Name set to Name and Flow Name set to Flow Name.

  10. When disabling someone's flow, you want to send an email to them so they're aware that their flow is no longer running. To get the flow owner's email address, use the Office 365 Users connector and use the Get user profile (V2) action to return the owner's email address. To get their email address, you need to add the Creator object ID, which can be retrieved from the List Flows as Admin action.

    Screenshot of Get user profile - Flow Creator with User (UPN) set to the Creator object ID.

  11. Send an email to the flow owner by using the Office 365 Outlook connector and the Send an email (V2) action. Use information that is returned from the Get user profile (V2) action to send this email, including the Mail and Given Name attributes. In addition, you can include the name of the flow by adding the Flow Display Name attribute found in the List Flows as Admin output.

    Screenshot of Send an email with To set to Mail, text in the Subject, and text in the body with Given Name and Flow Display Name fields.

  12. Because you're looping through all flows in your tenant, you need to set your isFlowAction variable back to false so that you can look for other flows that might have a Twitter action. You can now save your administrative flow.

    Screenshot of Set variable - Reset Twitter Flag with Name set to isFlowAction and Value set to false.

  13. To test your flow, sign in to the Power Automate maker portal using a different account. Create a flow that includes a SharePoint trigger and an X action. This scenario won't be blocked by your DLP policy, but it should be detected by the administrative flow that you created.

    Screenshot of Power Automate on the My Flows page creating a flow with the Twitter action with steps "When an item is created" and Get user profile.

  14. Now, you can run your Detect X (formerly Twitter) Actions flow that you previously created as an administrator. When this flow runs, it should detect that a flow was recently modified and that it includes a Twitter action. As a result, an email is sent to the flow owner.

    Screenshot of email with the subject Your flow has been disabled, and the message "Your flow: SharePoint > Twitter has been disabled, et cetera".

  15. If you examine the SharePoint to X flow, you discover that it has been disabled as a result of your administrator disabling the flow.

    Screenshot of Power Automate Flows page with the SharePoint > Twitter flow disabled.

However, retrieving information from X and sending it to SharePoint doesn't violate your governance rules. As a result, you can create another flow by using your flow maker's account, which includes an X trigger and a SharePoint action. When you run your Detect X Actions governance flow, it remains functional and isn't disabled because this is a permitted use case.

Screenshot of Power Automate on the My Flows page creating a flow with the X action with steps "When a new tweet is posted" and Create item.