I work for a government agency. We have a manager at our state central office who claims that PowerApps can’t be trusted given our organizational policies. As a government agency, we have to adhere to having a public record of things, like our emails. She seems to think one could use PowerApps to automate forwarding emails to their personal email box and that it isn’t tracked. Her quote is pasted below in quotes.
I know I can use an Office 365 Outlook connector to send out emails, sure… but those emails are tracked because I see them in my out box. Even if I create a Power Automate flow to forward all my emails, I see a record of the forward, again, in my “Sent” email box. Is there any validity to her claim? Does anyone have or have heard of examples where PowerApps was used to circumvent common policies or do things that are a little sketchy (do things that an IT security team would really frown on)? Currently we are unable to use PowerApps widely in our organization because of her objection(s). I'm trying to find examples of where what she claims is actually true. It is hard to prove a negative.
“With this product, a user can do things such as set up forwarding of their emails to an external address - which goes against state policies, and is NOT something we can track.”
PowerAutomate (flow) does have connectors to 3rd party providers and SMTP providers in general, so it would be possible to go past the Outlook365 account to send an email, but even those cases can be audited, basically an Admin can setup an audit trail for pretty much anything that happens on the platform:
Search the audit log in the compliance Center
Microsoft Flow audit events now available in Office 365 Security & Compliance Center
So as far as this part of the quoted statement
and is NOT something we can track
That's incorrect.