Skip to content

Portal Walkthrough: Control 1.18 - Application-Level Authorization and RBAC

Last Updated: May 2026 Portal: Power Platform Admin Center, Microsoft Entra Admin Center Estimated Time: 3-5 hours

Prerequisites

  • Power Platform Admin role
  • Entra Global Admin or Entra Privileged Role Admin
  • Dataverse System Admin for security role creation

Step-by-Step Configuration

Step 1: Create Security Groups

  1. Open Microsoft Entra Admin Center
  2. Navigate to Groups > All groups
  3. Create security groups:
  4. SG-PowerPlatform-Admins-Prod
  5. SG-CopilotStudio-Makers-Prod
  6. SG-CopilotStudio-Viewers-Prod
  7. SG-CopilotStudio-Testers-Prod

Step 2: Create Custom Dataverse Security Roles

Dataverse-only. Steps 2–3 apply to Dataverse-backed environments (all Microsoft Copilot Studio environments). For non-Dataverse environments, use environment-level role assignments via PPAC > Environments > Settings > Users + permissions.

  1. Open Power Platform Admin Center
  2. Select environment > Settings > Users + permissions > Security roles
  3. For each role below: select + New role, set the Business unit to the root BU, name the role per the convention, then on the Core records / Custom entities tabs grant only the privileges listed.

FSI - Agent Publisher: - Bot: Create, Read, Write, Delete, Append, Append To - Bot Component: Create, Read, Write, Delete - Environment: Read

FSI - Agent Viewer: - Bot: Read - Bot Component: Read - Environment: Read

FSI - Agent Tester: - Bot: Read, Write - Bot Component: Read - Environment: Read

Assign / Share privileges: For all three FSI roles above, set Assign and Share explicitly to None on each Bot and Bot Component entity. Setting these to None explicitly (rather than leaving them implicit) surfaces the choice during role review and lets an examiner confirm that record-sharing pathways are not granted by omission.

Step 3: Assign Roles to Security Groups

  1. In Power Platform Admin Center
  2. Select environment > Settings > Users + permissions > Teams
  3. Create teams linked to security groups
  4. Assign security roles to teams

Step 4: Configure Privileged Identity Management

Licensing prerequisite: PIM and PIM-for-Groups require Microsoft Entra ID P2 for every assigned and eligible user. Without P2, eligibility-based assignments will not appear.

  1. Open Microsoft Entra Admin Center
  2. Navigate to Identity governance > Privileged Identity Management
  3. For directory roles (Power Platform Admin, AI Administrator): select Microsoft Entra roles > Roles > target role > Settings
  4. For environment / Dataverse access (recommended pattern): select Groups > add SG-PowerPlatform-Admins-Prod > Settings > Member role
  5. Configure activation settings:
  6. Maximum activation duration: 4 hours (Zone 3) / 8 hours (Zone 2). The Microsoft platform upper bound for PIM activation is 24 hours per activation; FSI policy intentionally sets a tighter cap to support supervisory review windows. Tighter caps must be set per role/group in the PIM Settings blade.
  7. Require approval to activate: Yes (Zone 3 — minimum 2 approvers from CISO/Security Lead)
  8. Require MFA on activation: Yes (all zones)
  9. Require justification on activation: Yes
  10. Require ticket information on activation: Yes (Zone 3)
  11. Notification on activation: route to Sentinel/SIEM via Entra audit log forwarding

Step 5: Configure Column-Level Security

  1. In Power Platform Admin Center > Environment > Settings
  2. Navigate to Users + permissions > Field security profiles (Microsoft Learn also uses "column-level security" interchangeably; the PPAC node remains labelled Field security profiles)
  3. Create profile: FSI-SensitiveFields-Prod
  4. Add sensitive columns by enabling Column security on the column definition first (Solutions > target table > column > Advanced options > Enable column security: On) — this is required before the column appears in the profile
  5. Common FSI columns to protect: SSN/Tax ID, account number, account balance, credit score, date of birth, government ID
  6. Assign the profile to the security groups (or Dataverse teams) that require access; all other users default to no access

Step 6: Set Up Access Reviews

  1. Open Microsoft Entra Admin Center
  2. Navigate to Identity governance > Access reviews
  3. Create review for each security group:
  4. Frequency: Quarterly (Zone 2/3), Annual (Zone 1)
  5. Reviewers: Group owners
  6. Auto-remove on non-response: Yes

Configuration by Governance Level

Setting Baseline (Zone 1) Recommended (Zone 2) Regulated (Zone 3)
Role Assignment Standard roles Group-based custom Least-privilege custom
Access Review Annual Semi-annual Quarterly
PIM Not required Admin roles All privileged roles
Approval Self-service Manager Multi-level
Column Security None Sensitive fields All PII/NPI fields
  1. Open Copilot Studio (https://copilotstudio.microsoft.com)
  2. Navigate to Agents and select each agent
  3. Go to Tools and locate each configured tool
  4. For every action, enable "Ask the user before running this action"
  5. On every action where consent is required, configure the user-facing prompt yourself rather than relying on the auto-generated text. Use language that names the system being touched and the data being read or written — this is what an FSI examiner will read when reviewing whether consent was meaningful.
  6. Repeat for all agents in Zone 2 and Zone 3 environments

Step 8: Configure Connected Agent Governance

  1. In Copilot Studio, select each agent
  2. Navigate to Settings > Connected agents (the multi-agent collaboration surface; verify the literal menu label at apply-time — some tenants surface this as 'Agents' depending on UI release ring. The A2A protocol underpinning cross-agent invocation reached GA in April 2026, but the per-agent connectivity toggle may still surface a Preview label in some tenants — https://learn.microsoft.com/en-us/microsoft-copilot-studio/authoring-add-other-agents)
  3. Locate the toggle that controls whether other agents can connect to and invoke this agent
  4. Set to Disabled by default
  5. Enable only with:
  6. Documented business justification
  7. Cross-agent data handling review
  8. Compliance officer sign-off
  9. Document all approved inter-agent connections and review quarterly

Step 9: Review Environment Admin Roles

  1. Sign in to Power Platform Admin Center (https://admin.powerplatform.microsoft.com)
  2. Navigate to Environments > select the target environment > Settings > Users + Permissions > Users
  3. Review all users with System Administrator role
  4. For any assignment that is not justified, select the user > Manage Roles > remove System Administrator
  5. Ensure fewer than 10 administrators per environment (FSI-imposed threshold — not a Microsoft published recommendation; see footer note)
  6. Document all admin role assignments with business justification

Validation

After completing these steps, verify:

  • Security groups created and populated
  • Custom security roles assigned to groups
  • PIM configured for admin roles
  • Access reviews scheduled
  • Column-level security enforced
  • All agent actions have "Ask the user before running this action" enabled (Copilot Studio > Agent > Tools)
  • Connected agent access disabled for all agents unless explicitly approved (Copilot Studio > Agent > Settings > Connected Agents)
  • Admin count is below 10 per environment (PPAC > Environment > Users + Permissions)

Back to Control 1.18 | PowerShell Setup | Verification Testing | Troubleshooting

Footnotes

  • The "fewer than 10 administrators per environment" target in Step 9 is an FSI-imposed threshold — it is not a Microsoft published recommendation. Microsoft advises minimizing privileged administrators in general (see Best practices for securing Power Platform); the specific numeric cap is framework-internal.

Updated: May 2026 | Version: v1.6.2 | UI Verification Status: Current