I covered what Advanced Connector Policies (ACP) are in an earlier post. This one is the practical follow-on, covering where the settings live, how single environment and environment group configuration differ, and what actually happens when you publish.

Two ways in

There are two places to configure an advanced connector policy in the Power Platform admin centre, and which one you use depends on scope.

Single environment: Security > Data and privacy > Advanced connector policies. Select the environment, click Manage Connectors and define the policy, Save. Done. No environment groups, and notably, no Managed Environments requirement. This route exists specifically so that anyone on classic DLP can migrate without extra licensing cost. (Note: without Managed Environments, the nonblockable connectors remain nonblockable.)

Advanced connector policies panel for a single environment, opened from Security, Data and privacy
The single-environment route: Security > Data and privacy > Advanced connector policies. No Managed Environments required.

Environment group: Manage > Environment groups > select your group > Rules tab > Advanced connector policies. Define the policy, Save, then click Apply changes from the command bar. This route does require Managed Environments.

Advanced connector policies rule being defined on an environment group
Defining the allow list on an environment group's ACP rule.

The one-per-environment rule applies regardless of route. Each environment has exactly one effective ACP, either set directly or inherited from its group. There is no policy stacking, no overlapping scopes, no mental arithmetic to work out the effective result. This alone fixes the single most confusing thing about classic DLP.

What you see when you open the panel

A fresh policy starts with the nonblockable connectors preloaded as allowed. Everything else in the certified catalogue is blocked. From there:

What Apply changes actually does

For environment groups, saving the rule isn't enough. You need to hit Apply changes from the command bar.

The Apply changes button highlighted on an environment group's rules tab after saving an ACP rule
Saving the rule only stages it. Apply changes is what pushes it to every environment in the group.

During publishing, the platform runs an environment lifecycle operation against every environment in the group, which cascades the policy to both the design-time and runtime infrastructure. You'll see it in environment history as "Update Managed Environment", which is useful for auditing when a policy change landed.

Environment history timeline showing an Edit event followed by an Update Managed Environment operation, both succeeded
The paper trail in environment history: the rule edit, then the lifecycle operation that cascades the policy.

One thing to be aware of here is that policy propagation is not instant. I've found that ACP changes can take several hours to take effect. Build propagation time into your change process and verify enforcement in the maker experience before declaring a change complete.

Groups, inheritance, and what happens on the way out

If you remove an environment from an environment group, it doesn't revert to an unpoliced state. It retains the last known ACP configuration from the group, which you can then adjust individually. That's a sensible failsafe, since leaving a group never silently drops your governance.

The environment group's advanced connector policy showing Applied status with 15 connectors allowed
The group's policy applied: 15 connectors allowed, 1,665 blocked.
An individual environment's advanced connector policy showing the same 15 allowed connectors retained from the group
The same environment after leaving the group, still carrying the group's allow list.

In the first post I covered what ACP changes about connector governance. Having now built and published policies with it, I'd add: it's also the operational model DLP should always have been. One policy per environment, a visible status, an audit trail, and a failsafe on the way out of a group.

← All posts