Skip to content

Prerequisites

Requirements for deploying the Action Confirmation Auditor.

Licensing

Requirement Purpose
Power Platform Premium Power Automate flows (ACA-Scanner, ACA-Exception-Approval)
Dataverse capacity Scan run, audit result, and exception storage
Microsoft 365 E5 or E5 Compliance Tenant-wide agent and action visibility
Azure Automation Scheduled runbook execution for compliance scans

Permissions

Microsoft Entra ID Roles

Role Required For
Power Platform Admin Cross-environment agent and action enumeration
Application Administrator (or equivalent) App registration for service principal

Power Platform Roles

Role Required For
System Administrator Dataverse table creation and schema deployment
System Customizer Environment variable and connection reference creation

Dataverse Permissions

Permission Table Purpose
Read bot Enumerate Copilot Studio agents
Read botcomponent Inspect agent topic definitions and action nodes
Create/Read/Write fsi_ActionAuditResult Store violation records
Create/Read/Write fsi_ActionConfirmationException Manage exceptions
Create/Read/Write fsi_ActionScanRun Store scan run history

Microsoft Entra ID App Registration

  1. Register Application
  2. Navigate to Entra ID > App registrations > New registration
  3. Name: ACA-ActionConfirmationAuditor
  4. Supported account types: Single tenant

  5. Redirect URI: Not required (daemon/service)

  6. API Permissions

  7. Microsoft Graph: Application.Read.All (Application)
  8. Dynamics CRM: user_impersonation (Delegated) or configure S2S

  9. Admin consent: Required

  10. Certificate Authentication

  11. Create or upload a certificate for the app registration
  12. Record the certificate thumbprint for Azure Automation configuration

  13. Certificate-based auth is required for the validation runbook

  14. Record Values

  15. Application (client) ID > Pass as -ClientId runbook parameter
  16. Directory (tenant) ID > Pass as -TenantId runbook parameter
  17. Certificate thumbprint > Pass as -CertificateThumbprint runbook parameter

Azure Automation Setup

  1. Create or Use Existing Automation Account
  2. Resource group: Governance or shared services

  3. Location: Same region as Power Platform environment

  4. Import Runbook

  5. Import Start-ActionConfirmationValidationRunbook.ps1 as PowerShell 7.2 runbook

  6. Publish the runbook

  7. Configure Authentication

  8. Upload certificate to Azure Automation certificate store

  9. The runbook uses certificate-based auth via -ClientId and -CertificateThumbprint parameters

  10. Install Required Modules

  11. Az.Accounts (for authentication)
  12. MSAL.PS (if using client credential flow)

Dataverse Schema

The ACA solution uses 3 Dataverse tables:

Table Logical Name Purpose
Action Audit Result fsi_actionauditresult Individual violation records per action
Action Confirmation Exception fsi_actionconfirmationexception Approved exception records
Action Scan Run fsi_actionscanrun Scan execution history and summary

Deploy using:

python scripts/create_dataverse_schema.py \
  --environment-url https://yourorg.crm.dynamics.com \
  --client-id <app-id> \
  --client-secret <secret> \
  --tenant-id <tenant-id>

See dataverse-schema.md for the auto-generated column reference.

Network Requirements

Endpoint Protocol Purpose
*.crm.dynamics.com HTTPS 443 Dataverse Web API
login.microsoftonline.com HTTPS 443 Microsoft Entra ID authentication
management.azure.com HTTPS 443 Azure Automation API
api.bap.microsoft.com HTTPS 443 Power Platform Admin API

Environment Lifecycle Management (ELM) Integration

ACA uses zone classification from the Environment Lifecycle Management (ELM) solution to determine confirmation requirements per environment. Zone classification is resolved using the shared module:

  • Shared module: scripts/shared/Get-ZoneClassification.ps1 (repository root)
  • Local wrapper: scripts/private/Get-ZoneClassification.ps1

If ELM is not deployed, zone classification defaults to Zone 3 (most restrictive) for all environments.

Validation Checklist

  • E5 or E5 Compliance license available
  • Power Platform Premium for flow creator
  • Dataverse environment ready with sufficient capacity
  • Microsoft Entra ID app registration created (ACA-ActionConfirmationAuditor)
  • Admin consent granted for API permissions
  • Azure Automation account configured with runbook imported
  • Service principal has Dataverse read access to bot and botcomponent tables
  • Network connectivity to required endpoints verified
  • Zone classification source configured (ELM or default Zone 3)

Action Confirmation Auditor v1.1.0