Policy Layering is the distribution of connectors into logical groups when multiple policies are applied to an environment, lets take the following example of an environment where two policies are applied, for the sake of argument we are just showing a small set of connectors here out of all the connectors available.
In Policy 1, Business Connectors: DataVerse, SharePoint Teams, SQL, and Outlook; Non-Business Connectors: FTP, SalesForce, Jira, Azure DevOps, and Approvals; Blocked Connectors: Twitter, Google Drive, Gmail.
And in Policy 2, Business Connectors: DataVerse, SharePoint Teams, Azure DevOps, and Outlook, and Approvals; Non-Business Connectors: SQL, SalesForce, Jira; Blocked Connectors: FTP and RSS.
The above policies will result in the following logical grouping:
Group 1: DataVerse, SharePoint, Teams and Outlook, This is because in both policies all these connectors were in the Business Connectors group
Group 2: Azure DevOps and Approvals, This is because in both policies they were part of the same group, it doesn’t matter if in one it was Business and the other it was Non-Business
Group 3: SalesForce and Jira, This is because in both policies they were part of Non-Business Connectors
Group 4: SQL, This is because SQL has not been commonly grouped with any other connector in both policies
Blocked Connectors: Any connector which is part of the blocked group in any policy will end up being blocked
What this logical grouping means is that the connector in each group can only be used with other connectors in that group in any App or flow.
Microsoft announced in 2021 Wave 1 that they are extending the DLP capabilities and it will now allow more granular configuration of Connectors, what that means is that instead of restricting the whole connector, you can restrict certain actions within that connector, or for some connectors also allow the ability to define end-point filtering, e.g. you can allow HTTP connector but only to be connected to certain know URLs
Currently, these features are in public preview and only available for certain connectors. To Configure it, You have to edit your DLP policy and go to the list of connectors in the Business or Non-Business Tab
1. Select a connector, e.g. HTTP, Azure Ad, or SQL.
2. In the toolbar, click Configure Connector and click on Configure Actions.
3. Toggle action(s) to No.
4. Click Save.
Now if I try to use this action in an app or flow, I will be prompted and I won’t be allowed to save the flow, in case of existing flows those will go in a suspended state.