4.3 Data Privacy (DLP), Monitoring/Analytics & ALM Pipelines
Key Takeaways
- Data Loss Prevention (DLP) policies classify connectors as Business or Non-Business (or Blocked) and prevent a single app or flow from combining connectors across groups
- DLP policies can be tenant-wide (default) or environment-scoped, with environment-scoped policies taking precedence
- The Power Platform admin center provides analytics for Power Apps usage, Power Automate flow runs, and Dataverse capacity consumption
- Application lifecycle management (ALM) packages customizations into solutions that are unmanaged (editable, for development) or managed (locked, for deployment)
- Power Platform pipelines automate moving a managed solution through stages such as Development, Test, and Production, replacing slower manual export/import steps
Managing an environment is not just about who has access to which records — administrators also have to control which outside services can be combined in an app or flow, keep an eye on how the platform is actually being used, and move solutions safely from development into production. These three responsibilities — data privacy, monitoring, and application lifecycle management (ALM) — round out the governance skills the PL-900 exam expects.
Data Loss Prevention (DLP) Policies
A Data Loss Prevention (DLP) policy controls which connectors makers are allowed to combine within a single app or flow. Every connector available in Power Platform — SharePoint, Outlook, Twitter, Dropbox, a custom SQL connection, and hundreds of others — is classified into a data group:
- Business — connectors approved for handling organizational data
- Non-Business — connectors not approved for mixing with organizational data
- A connector can also be explicitly Blocked, preventing its use entirely regardless of grouping
The core rule a DLP policy enforces: a single app or flow cannot combine a Business connector with a Non-Business connector. This stops a well-meaning maker from accidentally building a flow that, say, pulls records out of Dataverse (Business) and posts them to a personal social media connector (Non-Business).
DLP policies can be scoped two ways:
| Scope | Behavior |
|---|---|
| Tenant-wide (default) | Applies to every environment that does not have its own more specific policy |
| Environment-scoped | Applies only to the environments it is explicitly assigned to, and takes precedence over the tenant-wide default policy for those environments |
Data Governance and Accessibility
Beyond DLP, larger organizations extend governance further with Microsoft Purview, which brings data cataloging, sensitivity labeling, and auditing across Power Platform alongside the rest of Microsoft 365 — giving compliance teams visibility into where sensitive data lives and how it flows between apps.
Makers are also expected to build apps that meet accessibility guidelines so that people using assistive technology (screen readers, keyboard-only navigation, high-contrast displays) can use them. Power Apps includes a built-in accessibility checker that flags common issues, such as missing labels or poor color contrast, directly in the app-authoring experience.
Monitoring and Analytics
The Power Platform admin center is also the home for usage monitoring and analytics across an environment or the whole tenant:
- Power Apps analytics — active users, app launches, session duration, and errors for canvas and model-driven apps
- Power Automate analytics — flow run counts, success and failure rates, and action-level details for cloud flows
- Dataverse capacity analytics — database, file, and log storage consumption, plus API request usage, tracked against the tenant's overall capacity limits
For deeper, custom telemetry beyond what the admin center surfaces out of the box, makers can connect canvas apps and flows to Application Insights, capturing custom events, traces, and exceptions for troubleshooting and performance analysis.
Many organizations also deploy Microsoft's Center of Excellence (CoE) Starter Kit — a free, open-source set of apps, flows, and dashboards — to inventory every app and flow across the tenant, identify unused or risky solutions, and drive adoption in a structured way.
Application Lifecycle Management (ALM) and Pipelines
Application lifecycle management (ALM) is the discipline of moving a solution through development, testing, and release in a controlled, repeatable way rather than editing configuration directly in a live Production environment. In Power Platform, customizations (apps, flows, tables, and more) are packaged into a solution, which exists in one of two states:
- Unmanaged solution — fully editable; used while a maker is actively building and configuring components in a development environment
- Managed solution — locked and read-only after import; used to deploy finished work into Test, UAT, or Production environments, and can be cleanly upgraded, patched, or uninstalled without leaving orphaned customizations behind
Manually exporting an unmanaged solution, converting it to managed, and importing it into the next environment works, but it is slow and error-prone as an organization scales. Power Platform pipelines solve this by letting a maker deploy their solution through a predefined sequence of stages — typically Development → Test → Production — directly from within the maker experience, with each stage's target environment configured in advance by an administrator.
Example: A maker finishes updating a solution in the Development environment and selects "Deploy" from the pipeline. The pipeline automatically exports the solution as managed, imports it into the Test environment for validation, and — once approved — imports the same managed solution into Production, with a full history of every deployment retained for auditing.
Pipelines reduce the manual, error-prone steps of ALM while still enforcing the separation between where solutions are built and where they run — tying this section back to the environment strategy introduced earlier in the chapter.
For organizations with more mature engineering practices, solutions can also be connected to a source control system such as Azure Repos or GitHub, exporting the solution's components as individual, human-readable files. This enables version history, code review, and branching for Power Platform customizations the same way a software team would manage application code, though PL-900 only expects awareness that this integration exists rather than hands-on configuration.
Taken together, DLP policies, admin center analytics, and ALM pipelines are what allow an organization to grow from a handful of makers experimenting in a Trial environment to dozens of teams safely building, monitoring, and releasing production solutions across the tenant.
A maker tries to build a flow that reads records from Dataverse and posts a summary to a personal Twitter account. The flow fails to save because of the tenant's DLP policy. What is the most likely reason?
What is the key difference between an unmanaged solution and a managed solution in Power Platform ALM?