0
votes

I work for a government agency. We have a manager at our state central office who claims that PowerApps can’t be trusted given our organizational policies. As a government agency, we have to adhere to having a public record of things, like our emails. She seems to think one could use PowerApps to automate forwarding emails to their personal email box and that it isn’t tracked. Her quote is pasted below in quotes.

I know I can use an Office 365 Outlook connector to send out emails, sure… but those emails are tracked because I see them in my out box. Even if I create a Power Automate flow to forward all my emails, I see a record of the forward, again, in my “Sent” email box. Is there any validity to her claim? Does anyone have or have heard of examples where PowerApps was used to circumvent common policies or do things that are a little sketchy (do things that an IT security team would really frown on)? Currently we are unable to use PowerApps widely in our organization because of her objection(s). I'm trying to find examples of where what she claims is actually true. It is hard to prove a negative.

“With this product, a user can do things such as set up forwarding of their emails to an external address - which goes against state policies, and is NOT something we can track.”

1
In Power Automate, there is a connector config that you can divide into two separate groups. What your co-worker is stating, is that if all MS connectors are config'ed into one group, then in the other group, they wont specify which Azure or M365 tenant you can connect to. The user can then create a personal tenant. A way to prevent this form happening is with Tenant restrctions, which IT controls access to SaaS cloud apps, based on Azure AD tenant app use for SSO. Here is a link on how it works docs.microsoft.com/en-us/azure/active-directory/manage-apps/… - Ethan

1 Answers

1
votes

PowerAutomate (flow) does have connectors to 3rd party providers and SMTP providers in general, so it would be possible to go past the Outlook365 account to send an email, but even those cases can be audited, basically an Admin can setup an audit trail for pretty much anything that happens on the platform:

Search the audit log in the compliance Center

Microsoft Flow audit events now available in Office 365 Security & Compliance Center

So as far as this part of the quoted statement

and is NOT something we can track

That's incorrect.