Control 1.1: Restrict Agent Publishing by Authorization
Control ID: 1.1 Pillar: Security Regulatory Reference: FINRA 4511, SEC Rule 17a-4, GLBA 501(b) Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Restrict who can publish AI agents to production environments by implementing security group-based authorization, separation of duties, and formal approval workflows.
Why This Matters for FSI
- FINRA 4511: Requires records of authorized activities - only authorized makers should publish, with all publishing logged
- SEC 17a-4: Publishing events must be captured in audit logs for examination
- GLBA 501(b): Restricting who can create agents protects customer data
- SOX 302: Publishing restrictions support segregation of duties requirements
Control Description
This control establishes authorization controls over who can create and publish AI agents in Microsoft 365 and Power Platform. Since Microsoft does not provide a native toggle to disable agent creation, the governance strategy shifts from prevention to containment through:
- Block Publishing - DLP policies block channel connectors
- Restrict Sharing - Disable "Share with Everyone" capability
- Route Away - Environment routing directs makers to governed environments
The control implements a "Sterile Default Environment Strategy" where the Default environment has all publishing channels blocked via DLP, combined with security group-based access control for designated maker environments.
Key Configuration Points
Maker Authorization
- Create security groups:
FSI-Agent-Makers-*,FSI-Agent-Publishers-Prod,FSI-Agent-Approvers-Compliance - Remove Environment Maker role from "All Users" in each environment
- Assign Environment Maker only to authorized security groups
- Restrict Copilot Studio agent creation to specific security groups (controls who can author agents)
- Configure agent sharing settings to control who can use published agents
- Configure Managed Environment sharing limits
- Implement release gates with approval workflows for production publishing
M365 Admin Center Agent Governance Actions (GA)
The Microsoft 365 Admin Center provides comprehensive agent lifecycle management at Copilot > Agents & connectors > Agents:
| Action | Description | Governance Impact |
|---|---|---|
| Publish | Admin approval required before agents become available | Helps prevent unauthorized agent distribution |
| Activate | Enable agent with governance template application | Applies organizational standards at activation |
| Deploy | Auto-install agents for targeted user groups | Controlled rollout with scope management |
| Pin | Pin up to 3 agents for organization-wide visibility | Managed discovery for approved agents |
| Block / Unblock | Prevent or restore agent availability | Immediate risk mitigation capability |
| Delete | Permanently remove agents from the tenant | Lifecycle termination control |
| Approve Updates | Review and approve agent version changes | Change management enforcement |
| Reassign Ownership | Transfer agent ownership between users | Continuity management for departing staff |
| Manage Ownerless | Handle agents without active owners | Orphaned agent governance |
| Export Inventory | Download agent inventory data | Audit and compliance reporting |
The agent inventory view also includes a Risks column that surfaces Entra-based risk alerts for individual agents, enabling administrators to identify and prioritize agents requiring governance review.
Agent-Level Authentication and Access Control
- Require user authentication for all agents: In Copilot Studio, navigate to each agent's Settings > Security and verify authentication is not set to "No Authentication." Use "Authenticate with Microsoft" (recommended for internal agents using Entra ID) or "Authenticate Manually" (for OAuth-based scenarios)
- Enforce sign-in for manual authentication: When using "Authenticate Manually," enable the "Require users to sign in" toggle to prevent anonymous interactions with the agent
- Set authentication timing to "Always": Configure authentication enforcement to require sign-in at the start of every session rather than "As Needed," which may allow unauthenticated session starts and create audit log gaps
- Restrict agent sharing scope: In Copilot Studio, configure agent sharing via Channels > Share Settings to restrict access to designated Copilot Readers or Security Groups. Do not allow unrestricted access ("Anyone" or "Any multi-tenant") for agents handling non-public data
- Control AI-featured agent publishing at tenant level: In Power Platform Admin Center > Tenant Settings, disable "Publish bots with AI features" until governance review confirms AI feature controls are in place
- Block unapproved shared agents: In the M365 Admin Center > Copilot > Agents & connectors > Agent Inventory, review and block agents that have not been through the approval workflow
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Any licensed user can create personal agents; no approval required; authentication recommended but not enforced | Low risk, no customer data |
| Zone 2 (Team) | Security group membership required; manager approval before production; authentication set to "Always" required; sharing restricted to security groups | Internal data access requires accountability |
| Zone 3 (Enterprise) | Strict group membership; Governance Committee + Legal review; quarterly certification; authentication set to "Always" required; sharing restricted to named security groups only; AI-featured publishing disabled until governance review complete | Customer-facing, regulatory examination risk |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Power Platform Admin | Configure environment security roles, Managed Environment settings |
| Entra Global Admin | Create and manage security groups in Entra ID |
| Compliance Officer | Approve production publishing, review audit logs |
| AI Governance Lead | Define approval workflow, governance tier requirements |
Related Controls
| Control | Relationship |
|---|---|
| 2.1 - Managed Environments | Enables sharing restrictions and governance features |
| 1.2 - Agent Registry | Tracks all published agents |
| 1.7 - Audit Logging | Logs all publishing attempts |
| 2.3 - Change Management | Approval workflow for promotions |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Advanced Implementation: Configuration Hardening Baseline
This control is covered by the Configuration Hardening Baseline, which consolidates SSPM-detectable settings across all 7 mapped controls into a single reviewable checklist with automation classification and evidence export procedures.
Advanced Implementation: Unrestricted Agent Sharing Detector
For continuous detection of overly permissive agent sharing configurations, see the Unrestricted Agent Sharing Detector. This solution scans all Copilot Studio agents for organization-wide sharing, public internet links, unapproved groups, excessive individual shares, and cross-tenant access — with automated approval-based remediation and exception management.
Governance Script: Agent Authentication Enforcement
Test-AgentAuthConfiguration.ps1 validates per-agent authentication configuration against 6 SSPM items with zone-based logic. Checks authentication mode, sign-in enforcement, timing settings, sharing scope, AI feature publishing, and agent approval status — with drift detection and SHA-256 evidence export.
Script Location: scripts/governance/Test-AgentAuthConfiguration.ps1
Governance Script: Publishing Restriction Validation
restrict-agent-publishing.ps1 validates 6 publishing restriction criteria: Environment Maker role removal, authorized security groups, Share with Everyone disabled, DLP connector blocking, Managed Environment sharing limits, and approval workflow status — with SHA-256 evidence export for audit readiness.
Script Location: scripts/governance/restrict-agent-publishing.ps1
Verification Criteria
Confirm control effectiveness by verifying:
- Non-authorized users cannot create or publish agents (test with non-member account)
- Authorized users can create agents in designated environments
- Production publishing requires membership in
FSI-Agent-Publishers-Prod - All publish events appear in Microsoft Purview Audit logs
- Sharing restrictions block "Share with Everyone" attempts
- No Copilot Studio agents are configured with "No Authentication" (Copilot Studio > Agent > Settings > Security)
- Agents using manual authentication have "Require users to sign in" enabled
- Authentication enforcement is set to "Always" for Zone 2/3 agents (not "As Needed")
- No agents are shared with unrestricted access ("Anyone" or "Any multi-tenant")
- "Publish bots with AI features" is disabled at tenant level or governance review is documented
- Unapproved agents are blocked in M365 Admin Center Agent Inventory
Additional Resources
- Microsoft Learn: Environment security
- Microsoft Learn: Security roles and privileges
- Microsoft Learn: Copilot Studio security and governance
- Microsoft Learn: Managed Environments - Limit sharing
Agent Essentials (Preview)
Note: The following resources are preview documentation and may change.
- Microsoft Learn: Agent Deployment Checklist (Preview) - Microsoft's 8-category deployment readiness checklist including access and availability policies
- Microsoft Learn: Agent Visual Governance Guide (Preview) - Visual map of agent governance decision points
Implementation Note
Organizations should verify that their implementation meets their specific regulatory obligations. This control supports compliance efforts but requires proper configuration and ongoing validation.
Updated: February 2026 | Version: v1.3 | UI Verification Status: Current