Manage Dataverse for Teams environments in Power Platform

Posted on by

DLP policies setup in compliance center are not applicable for PowerApps, PowerAutomate and Power Virtual agents as of this writing. Data loss policies can be setup in Power Platform admin center to manage Power platform environments setup in your tenant.

DLP policies in Power platform admin center can be setup at tenant level or environment level. To setup tenant level policies you have to be either global admin or Power platform admin. To setup environment policy you have to be environment admin.

I am not going to discuss about how to setup a new DLP policy in your power platform. Here is a Microsoft published article detailing that : https://docs.microsoft.com/en-us/power-platform/admin/create-dlp-policy

I want to discuss about Dataverse for Teams environments in Power Platform which are created without admin interference. Anyone from Teams can spin up this environment with or without knowing what actually is happening in the backend by trying to create a PowerApp in Teams. Each team will have its own environment and limits.

Point I want to highlight here is that if you have setup a DLP policy in Power Platform admin center to include all environments, it will NOT include all Dataverse for Teams environments by default after the policy is created. You either have to add newly setup environments or run PowerShell  UpdatePolicyEnvironmentsForTeams periodically.

Here is what I found that worked for me without scheduling to run this cmdlet periodically.

While creating the DLP policy select Scope as ‘Exclude certain environments‘ 

In the next step, select a Sandbox environment or a developer environment which you know for sure will not contain any users other than admins and will not be consumed.

Once the policy is setup, it will be defined to include all environments except the specified.

Any new Teams environments created after the policy creation will be covered by this policy.