Control 1.18: Application-Level Authorization and Role-Based Access Control (RBAC)
Control ID: 1.18
Pillar: Security
Regulatory Reference: FINRA 4511, FINRA 3110, FINRA 25-07, SOX 302/404, GLBA 501(b) Safeguards Rule, SEC Rule 17a-3/4, NIST SP 800-53 AC-2/AC-3/AC-5/AC-6
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Agent 365 Architecture Update
Entra Agent ID supports role assignments for agent identities, enabling RBAC policies to apply to agents as first-class directory objects alongside human users. See Unified Agent Governance for agent identity and role assignment details.
Dynamics 365 Mailbox Access
Organizations using Dynamics 365 with server-side sync should review mailbox access permissions as part of their Dataverse RBAC audit. Periodic review of approved email addresses (PPAC → Environments → Settings → Users → Manage user in Dynamics 365) helps verify continued business justification. This is tracked as a candidate for a future dedicated control. See the SSPM Control Mapping for current coverage status.
Objective
Implement role-based access control for Power Platform and Copilot Studio ensuring users have only permissions necessary for their job functions, with separation of duties, least-privilege access, and documented role assignments.
Why This Matters for FSI
- SOX 302/404: Supports segregation of duties and internal control over financial reporting (ICFR) by limiting who can change configurations affecting reportable systems
- GLBA 501(b) Safeguards Rule: Helps enforce least-privilege access to nonpublic personal information (NPI) processed by agents and connectors
- FINRA 4511 / 3110: Aids in maintaining books-and-records integrity (4511) and supervisory accountability (3110) by restricting who can publish, modify, or invoke agents that touch regulated records
- FINRA 25-07: Supports the access-control and supervisory-procedure expectations for AI systems, including documented role-based restrictions on who can deploy, modify, and operate AI agents
- SEC 17a-3/4: Helps meet examination expectations by producing exportable evidence of who has access to which systems and when
- NIST SP 800-53 AC-2/AC-3/AC-5/AC-6: Aligns with account management, access enforcement, separation of duties, and least-privilege control families for federal baseline alignment
Automation Available
See Conditional Access Automation in FSI-AgentGov-Solutions for CA policy deployment, compliance monitoring, and drift detection for AI workloads.
Control Description
This control establishes RBAC through a layered security model:
- Tenant-Level Roles - Power Platform Admin roles for global administration
- Environment-Level Roles - Security groups restrict environment access
- Dataverse Security Roles - Custom roles (Agent Publisher, Agent Viewer, Agent Tester) with specific privileges
- Record-Level Security - Row-level security, sharing rules, and column-level restrictions
- Privileged Identity Management - Just-in-time access for admin roles with approval workflows
- Access Reviews - Quarterly reviews to validate continued need for access
Key Configuration Points
Security Group and Role Configuration
- Create FSI security groups:
SG-PowerPlatform-Admins-Prod,SG-CopilotStudio-Makers-Prod,SG-CopilotStudio-Viewers-Prod - Create custom security roles:
FSI - Agent Publisher,FSI - Agent Viewer,FSI - Agent Tester - Assign roles to security groups (not individuals) for scalability
- Configure PIM for Dataverse System Admin role with 4-hour max activation and approval required
- Configure column-level security for sensitive fields (SSN, Account Balance, Credit Score)
- Establish quarterly access reviews with auto-removal for non-response
- Implement service principal credential rotation (90 days for Zone 3)
Agent Action Consent
- Require user consent before agent actions execute: In Copilot Studio, navigate to each agent's Tools and enable "Ask the user before running this action" for all tools. This prevents agents from performing unauthorized modifications or unintended operations without explicit user approval
- Use user-defined consent messages: Where available, configure consent prompts with clear descriptions of what the action will do rather than relying on AI-generated messages
Connected Agent Governance
- Restrict inter-agent connectivity: In Copilot Studio > Agent > Settings, under Connected Agents (Preview), disable "Let other agents connect to and use this one" by default. Enable only with documented approval and business justification
- Govern cross-agent trust boundaries: Agents serving distinct data sensitivity domains (e.g., customer-facing vs. internal) must not cross-invoke each other without explicit governance review. Connected agent access expands the attack surface and may enable unintended data sharing between agents
- Audit connected agent configurations: Review all agents with connected agent access enabled quarterly. Verify that cross-agent communication paths align with data classification requirements
Environment and Platform Admin Governance
- Define PPAC and environment admin roles: Assign Power Platform Admin Center administrative roles and environment-level System Administrator roles following the principle of least privilege. Limit System Administrator role to authorized users only
- Review admin role assignments: Audit admin roles quarterly to detect unauthorized privilege accumulation. Use PPAC > Environment > Settings > Users + Permissions > Users to review and manage role assignments
- Limit admin count per environment: Follow PPAC security recommendations to maintain fewer than 10 administrators per environment. Excessive admin assignments increase risk of unauthorized configuration changes
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Out-of-the-box Maker/Basic User roles; self-service onboarding; annual access attestation; agent action consent recommended; PIM not required | Personal-scope agents touch limited data; light-touch governance keeps friction low while preserving auditability |
| Zone 2 (Team) | Group-assigned custom roles (Publisher / Tester / Viewer); semi-annual access reviews with manager approval; PIM-for-Groups required for environment admin and System Customizer; agent action consent enforced; connected agents disabled by default | Team-scope agents handle business data; group-based assignment supports SOX 404 separation of duties and creates reviewable evidence |
| Zone 3 (Enterprise) | Custom least-privilege Dataverse roles only (no out-of-the-box admin); quarterly access reviews with auto-revocation on non-response; mandatory PIM-for-Groups with multi-approver workflow and ≤4-hour activation; column-level security on PII/NPI; service principal credential rotation ≤90 days; admin count <10 per environment; all role-change events forwarded to Sentinel/SIEM; agent action consent + connected-agent restriction enforced | Customer-facing/regulated workloads require examiner-grade evidence (FINRA 4511, SEC 17a-4) and demonstrable separation of duties for SOX 404 ICFR scope |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Power Platform Admin | Configure environment security roles, manage team assignments |
| Entra Global Admin | Create security groups, configure PIM |
| Compliance Officer | Review role assignments, validate audit evidence |
| AI Governance Lead | Define role requirements, approve role changes |
Related Controls
| Control | Relationship |
|---|---|
| 2.1 - Managed Environments | Environment structure enables role segmentation |
| 1.11 - Conditional Access | CA policies complement RBAC (Conditional Access Automation) |
| 1.23 - Step-Up Authentication | Conditional Access for Agent ID (Public Preview) — enables CA policies scoped to Agentic User identities for agent-specific RBAC enforcement |
| 2.8 - Access Control | Strategic SoD policies |
| Agent Sharing Access Restriction Detector | Restricts agent sharing to zone-based access policies (complements UASD) |
| 1.7 - Audit Logging | Role changes captured in audit log |
Automated Compliance: Conditional Access Automation
For automated deployment and compliance scanning of Conditional Access policies supporting application-level authorization and RBAC enforcement, see the Conditional Access Automation solution.
Capabilities:
- Automated deployment of CA policies enforcing role-based access for AI workloads
- Zone-specific policy templates for app consent and authorization controls
- Daily compliance scanning of CA policy drift affecting RBAC enforcement
- Teams adaptive card alerts when authorization policies are weakened or disabled
- SHA-256 evidence export with integrity hashing for FINRA/SEC examination support
Deployable Solution: conditional-access-automation provides PowerShell deployment scripts, Azure Automation runbook wrappers, and Power Automate flow definitions.
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Advanced Implementation: Configuration Hardening Baseline
This control is covered by the Configuration Hardening Baseline, which consolidates SSPM-detectable settings across all 7 mapped controls into a single reviewable checklist with automation classification and evidence export procedures.
March 2026 Preview Updates
Enhanced admin controls for authentication and access boundaries
⚠️ Preview feature: Power Platform enhanced admin controls entered public preview in March 2026 and are scheduled for April 2026 general availability. Microsoft notes that delivery timelines can change before release.
Microsoft documents new security settings at the environment or environment group level for agent sharing, anonymous access endpoints, and approved authentication providers. These policies are validated during agent deployment and runtime, which makes them a useful least-privilege backstop for RBAC programs.
| Capability | RBAC relevance |
|---|---|
| Approved authentication providers | Limit agents to sanctioned identity providers and reduce shadow identity paths |
| Anonymous access endpoint blocking | Removes unauthenticated access paths that bypass named-user or named-agent controls |
| Environment/environment-group policy scope | Apply the same access boundary consistently across related environments |
| Runtime validation | Blocks noncompliant deployments after configuration drift or an unexpected change |
Safe sharing and credential oversharing detection
⚠️ Preview feature: Safe-sharing enforcement that detects credential oversharing enters public preview in April 2026 and is scheduled for June 2026 general availability.
Microsoft documents that Copilot Studio can identify agents that rely on connections marked as not safe for sharing, surface inventory and advisor guidance, and block publishing or sharing of unsafe assets before exposure. For Control 1.18, this creates an additional authorization gate when an agent would otherwise inherit maker or system credentials beyond its approved scope.
FSI implementation guidance: - Review unsafe-sharing signals during access reviews and publication approval, not only during incident response - Treat maker or system credentials flagged as not safe for sharing as authorization exceptions requiring remediation before promotion - Continue using RBAC, PIM, and access reviews as the primary controls; these preview checks are supplemental guardrails - Use sharing-drift solutions and dashboards for continuous monitoring because this feature focuses on design, publish, and share stages
Verification Criteria
Confirm control effectiveness by verifying:
- Users in
FSI - Agent Viewerrole cannot create or modify agents (read-only) - Users must activate PIM to access Dataverse System Admin in production
- Security role assignments export shows all assignments documented
- Access review completes with attestation for each role
- Service principal credential rotation completes within 90-day window
- All agent tools have "Ask the user before running this action" enabled (Copilot Studio > Agent > Tools)
- No agents have "Let other agents connect to and use this one" enabled without documented approval
- Environment admin count is below 10 per environment (PPAC > Environment > Users + Permissions)
- All System Administrator role assignments are documented and justified
- If enhanced admin controls are enabled, approved authentication providers and anonymous access endpoint settings are configured at environment or environment-group scope
- If safe-sharing preview is enabled, publish/share events using unsafe identities are blocked or documented with approved exception handling
Additional Resources
- Microsoft Learn: Security Roles in Power Platform
- Microsoft Learn: Create Security Roles
- Microsoft Learn: Privileged Identity Management
- Microsoft Learn: Column-Level Security
- Microsoft Learn: Enhanced admin controls for agent security (Preview)
- Microsoft Learn: Safe sharing by detecting credential oversharing (Preview)
Agent-Level RBAC via Entra Agent ID
Note: Agent ID features are preview documentation and may change.
Microsoft Entra Agent ID extends RBAC concepts to AI agents:
- Microsoft Learn: Microsoft Entra Agent ID - Agent identity management for RBAC integration
- Microsoft Learn: Agent Identities for AI Agents - Agent-level access control configuration
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current