MC1403390: Power Platform Admin Center Replaces Classic DLP with Advanced Connector Policies and Restores Design-Time Enforcement

MWPRO IMPACT SCORE
OPERATIONAL IMPACT
49
0 25 50 75 100
MODERATE IMPACT • ASSESS BUSINESS IMPACT
Recommended Action:
Take a look and decide whether this affects your tenant, users or support teams.
What is MWPro Impact Score? Watch our 60‑second explainer

Primary Audience

Power Platform AdminsMicrosoft 365 AdminsIT ManagersSecurity TeamsCompliance TeamsService Owners
Why this score?
AI Confidence
HIGH
Enough detail is available to trust this assessment.
Assessment Reasoning
Advanced connector policies are now generally available and re-enable design-time enforcement, replacing classic DLP classifications with a default-deny model. Admins must review connector and action usage, build allowlists, and decide whether to switch from DLP, which involves planning, testing, and policy design. The feature is off by default, so immediate urgency is moderate, but governance changes are significant for long-term compliance. User impact is indirect because this change primarily affects policy enforcement and app authoring rather than end-user workflows.
68
🛡️ Admin Impact
20
👥 User Impact
40
Urgency
60
🔧 Implementation Effort
ℹ️ WHAT YOU NEED TO KNOW
📌

AT A GLANCE

Advanced connector policies (ACP) are now generally available in Power Platform admin center, replacing the classic DLP connector classification with a default-deny allowlist model for certified connectors and actions.
👥

END USERS

No major end-user change expected.
🛡️

IT ADMINS

ACP is off by default. Review connector usage and plan allowlists before enabling in high-risk or pilot environments.
📅

ROLLOUT TIMELINE

Available:
Now

📢 Official Microsoft Message Center Announcement


Power Platform admin center – Advanced connector policies
Message ID: MC1403390 (Updated)
Update: Design-time enforcement functionality of this feature has been re-enabled within Power Apps.

We are announcing the ability to use advanced connector policies (ACP) to govern which connectors, connector actions, and Model Context Protocol (MCP) servers are permitted across your environments in Power Platform admin center. This feature reached general availability on June 4, 2026.

How does this affect me?
ACP replaces the Business/Non-Business/Blocked classification model of classic data loss prevention (DLP) policies with a single default-deny allowlist, and is off by default until explicitly activated by an administrator. ACP currently applies to certified connectors only (including MCP connectors); continue using DLP policies for custom connectors. This feature includes the following capabilities:
  • Default-deny allowlist: All certified connectors and actions are blocked unless explicitly added. New connectors are blocked by default until an administrator reviews and allows them. Business and non-business classifications have been removed for connectors and actions to improve clarity.
  • Design-time and runtime enforcement: Makers now get immediate feedback while authoring an app, flow, or agent, not only at runtime when data is changing. Makers are blocked from adding restricted connectors or actions while authoring, and the platform performs a last-mile check at runtime.
  • Govern AI tools: Admins can block an MCP server just like any other connector or action.
  • Action-level control: Allow a connector while disabling specific risky, deprecated, or internal actions. Triggers, internal, and deprecated actions are clearly tagged.
  • Automatic scaling: Because ACP is native to environment groups, the right policy follows each environment created through personal developer environments and routing, no environment-by-environment overhead is required.
  • ACP-only mode: Optionally skip classic data policy evaluation entirely for a clean governance posture.
Admins can enable ACP directly on a single environment, which does not require Managed Environments, for high-risk, pilot, or regulated environments. Admin can also enable it once applied to an environment group to govern a fleet at scale, which does require Managed Environments.

What action do I need to take?
This message is for awareness, and no action is required.

To enable ACP in your environment, navigate to the Power Platform admin center and complete the following steps.
  1. Review inventory. Use Power Platform inventory (preview) under Manage > Inventory to see connector and operation usage across apps, flows, and agents so you can anticipate impact before activating ACP.
  2. Test on a single environment. Apply ACP under Security > Data and privacy in the Power Platform admin center. No Managed Environments are required for a single environment. The policy remains off until you activate it.
  3. Build your allowlist. Starting from default-deny, add the certified connectors and actions your teams require. New connectors are blocked by default, so plan for ongoing allowlist reviews.
  4. Scale with environment group. Applying ACP across an environment group requires Managed Environments. Configure on the group’s Rules tab.
  5. Run hybrid with DLP. Keep existing DLP policies in place for custom connectors, HTTP connectors, and scenarios not yet at parity while you migrate to ACP.
  6. Evaluate ACP-only mode. Test it in public preview to prepare for migration off of DLP policies.
If you would like more information on this feature, please visit the Advanced connector policies documentation and the announcement blog post.

Source: Microsoft Message Center • Analysed by MWPro

<<< [MC1403390] Archive
Tooltip: View earlier revisions of this post

Latest Posts

Pass It On
Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply