Troubleshooting: Control 1.18 — Application-Level Authorization and RBAC

Last Updated: April 2026

This playbook covers operational issues commonly encountered when implementing or operating Control 1.18 (Application-Level Authorization and RBAC). Issues are grouped by symptom area; each entry includes diagnostic steps, root cause guidance, and resolution actions appropriate for an FSI environment.

Quick-Reference Issue Matrix

Symptom area	Likely root causes
User has more access than expected	Direct role assignment bypassing groups; cumulative role membership; legacy security role
User has less access than expected	Group-to-team sync delay; missing field-security profile; missing Dataverse user record
PIM activation fails	Missing P2 license; no approver assigned; conflicting Conditional Access; MFA registration gap
Column-level security not enforced	Column security not enabled on the column; profile not assigned; cached UI
Access reviews stalled	Owners not configured; reviewer scope misaligned with group membership
Service principal denied	SPN missing application user record in Dataverse; rotated credential not propagated
Connected agent unexpectedly invocable	Connected agents preview re-enabled by maker; environment-level setting overrides agent-level

Issue Group 1 — Permission Drift

User has more access than expected

Symptoms: A user with an FSI - Agent Viewer role is able to publish or modify agents, or sees configuration surfaces that should be hidden.

Diagnostic steps

In PPAC > Environments > [env] > Settings > Users + permissions > Users, locate the user and review all assigned roles (not just the FSI role).
Run the bootstrap validation export (Export-SecurityRoles.ps1) and inspect for direct user assignments (PrincipalType = User assigned to admin or maker roles outside the FSI naming convention).
Check Entra group membership in case the user is in SG-PowerPlatform-Admins-Prod as well as SG-CopilotStudio-Viewers-Prod.
Inspect Dataverse team memberships (Settings > Teams) for legacy team assignments such as Default Team with elevated privileges.

Resolution

Remove direct role assignments; replace with the appropriate FSI security group.
Remove the user from any group whose role exceeds their need-to-know.
Disable the legacy team or remove its over-privileged role.
File a role-change event in the audit trail and trigger an off-cycle access review for the impacted environment.

User cannot perform actions their role should allow

Symptoms: A newly added member of SG-CopilotStudio-Makers-Prod cannot create an agent.

Diagnostic steps

Confirm the user has signed out and back in since being added to the group (token cache up to 1 hour).
In Entra, confirm group membership is active (PIM-for-Groups eligible-not-active = no permissions).
In PPAC, confirm the Dataverse team linked to the group exists and has the FSI custom role assigned. Group-only assignment without a linked Dataverse team is the most common cause.
Confirm the user has a Dataverse application user / system user record. Users added to groups but never provisioned into Dataverse will appear in PPAC as "Disabled" or "Not present".

Resolution

Re-link the group to a Dataverse team via PPAC > Settings > Teams > + Create team (Type = Microsoft 365 group or Microsoft Entra ID security group).
Assign the FSI custom role to the team (not to individual users).
Force token refresh: have the user sign out, clear browser cache, sign back in.
For Dataverse user provisioning, run the standard "Users" sync from PPAC > Settings > Users > + Add users.

Role appears assigned but takes effect inconsistently

Symptoms: Permission changes propagate for some users but not others.

Diagnostic steps

Check the Entra group writeback / sync status for the affected directory.
Confirm the group is assigned, not dynamic — dynamic groups can take 15–30 minutes to recompute membership after attribute changes.
Inspect Dataverse cache by viewing the user's effective permissions in PPAC.

Resolution

For dynamic groups, wait or trigger a Update-MgGroup membership refresh.
For PIM-for-Groups assignments, confirm activation is current (not just eligible).
Allow up to 60 minutes for cross-service propagation; document the propagation delay in the operator runbook.

Issue Group 2 — PIM Activation Failures

PIM activation request returns "Not eligible"

Symptoms: User attempts to activate a privileged role and receives "You are not eligible for this role".

Diagnostic steps

Confirm the user has an Entra ID P2 license assigned (PIM eligibility requires P2 per assigned user).
In Entra > PIM > Groups (or Roles) > Assignments > Eligible, confirm the user appears.
Check whether eligibility is via direct assignment or via a parent group (group-of-groups eligibility is supported but slower to evaluate).

Resolution

Assign Entra ID P2 to the user.
Add the user to the eligible-assignment list with the documented justification and expiration.
Wait 5–10 minutes for the eligibility cache to refresh, then retry activation.

PIM activation hangs at "Awaiting approval"

Symptoms: Activation request is stuck pending approval.

Diagnostic steps

In PIM > Approve requests, confirm the configured approvers exist and are active accounts (not soft-deleted).
Check whether the approval notification reached the approvers (Outlook, Teams).
Inspect the role/group Settings for an "Approval required" misconfiguration that targets an empty group.

Resolution

Reassign approvers to a security group that contains at least two named individuals (avoid single points of failure).
For Zone 3, configure at least two approvers to support the FINRA 3110 supervisory pattern and prevent single-approver bottlenecks.
If the original approval is stuck, the requester can cancel and resubmit after the approver list is corrected.

PIM activation succeeds but Power Platform still denies

Symptoms: PIM shows the role as Active, but PPAC actions still fail.

Diagnostic steps

Confirm the activation is for the correct directory role (Power Platform Admin, AI Administrator) and/or the correct group used for environment access.
Check Conditional Access policies that may be blocking the session token (e.g., a CA policy requiring a compliant device that the activation device does not meet).
Inspect the Entra sign-in log for the user and look for Conditional Access Result = Failure.

Resolution

Adjust Conditional Access exclusions for break-glass scenarios per Control 1.11, never by removing the policy.
Have the user sign out and re-authenticate to refresh the session token containing the activated role claim.
For environment-scope access, confirm PIM-for-Groups (not PIM for directory roles) is the activation path.

PIM activation requires MFA but user has no method registered

Symptoms: Activation prompts for MFA, user cannot complete the challenge.

Diagnostic steps

In Entra > Users > [user] > Authentication methods, confirm at least one phishing-resistant method is registered.
Check tenant Authentication Methods policy for required strengths.

Resolution

Have the user complete authentication-method registration via https://aka.ms/mfasetup using a non-privileged session.
For Zone 3, require phishing-resistant methods (FIDO2 / Windows Hello for Business / certificate-based) per Control 1.11.

Issue Group 3 — Column-Level Security

Column security profile created but values still visible to all users

Symptoms: A field-security profile is configured, yet users without the profile still see PII values.

Diagnostic steps

Confirm the column-level security flag is set on the column itself (Solutions > target table > column > Advanced options > Enable column security: On). Without this flag the profile assignment has no effect.
Confirm the profile is assigned to a user/team, not just created.
Verify the user is not in System Administrator (admins bypass column security).
Clear cached form views (close and reopen the model-driven app or refresh the form).

Resolution

Enable column security on the column, then publish customizations.
Assign the field-security profile to the appropriate Dataverse team (preferred) or individual user.
Remove unnecessary System Administrator memberships that are masking the test result.

Column security degrades query performance

Symptoms: Views and reports referencing column-secured fields are slow.

Diagnostic steps

Identify how many columns are secured on the table.
Check whether secured columns appear in default views, charts, or aggregate queries.

Resolution

Limit column security to the highest-sensitivity fields only (SSN/Tax ID, account number, balance, credit score, government ID).
Remove secured columns from default views; expose them only on detail forms.
Where masking is sufficient, prefer a calculated/formatted column rather than full column security.

Issue Group 4 — Access Reviews

Access review created but no reviewers assigned

Symptoms: Review is scheduled but no reviewer receives notifications.

Diagnostic steps

In Entra > Identity governance > Access reviews > [review] > Settings, confirm the Reviewers field is populated.
Confirm group owners exist on the target group; "Group owners" as reviewer fails silently when no owner is set.

Resolution

Assign group owners to every governed group (minimum two for Zone 3).
For Zone 3, prefer named reviewers (not "Group owners") to maintain auditable supervisory accountability per FINRA 3110.

Access review auto-completes with "No response" → unintended removals

Symptoms: Users were removed from groups after a review they did not see.

Diagnostic steps

Confirm reviewer received the notification (check spam, Teams notifications).
Inspect the review configuration for "If reviewers don't respond" setting.

Resolution

For Zone 1/2, consider setting the non-response action to "Take recommendations" rather than "Remove access" until a notification baseline is established.
For Zone 3, retain "Remove access" but ensure reviewers are paged through monitored channels and reviews include a 2-week response window.
Implement a back-out runbook for restoring removed users (audit-friendly, not silent re-add).

Issue Group 5 — Service Principal and Connected-Agent Issues

Service principal denied even after credential rotation

Symptoms: Automation that worked before credential rotation now returns 401/403.

Diagnostic steps

Confirm the new credential (certificate or secret) is registered on the same application object the SPN authenticates against.
In Dataverse, confirm the Application User record for the SPN exists in the target environment and is assigned the correct custom role.
Check expiration of the prior credential — ensure it has not been removed before the new one was added (overlap window).

Resolution

Maintain a credential overlap window (minimum 7 days) when rotating SPN credentials in Zone 3.
Re-create the Dataverse Application User record if the environment was restored or copied without it.
Verify the SPN holds only purpose-built custom roles, not System Administrator.

Connected agent unexpectedly invocable from another agent

Symptoms: Agent A can invoke Agent B even though Agent B's "Let other agents connect" toggle is disabled.

Diagnostic steps

Confirm the connection was not established before the toggle was disabled (existing connections may persist).
Check the environment-level setting in PPAC > Environments > [env] > Settings > Features: enabling "Connected agents" environment-wide can override per-agent intent.
Review the agent-to-agent invocation audit log (Power Platform admin analytics).

Resolution

Remove the existing connection from Agent A's tools list.
Set environment-level connected agents to Disabled as the baseline; enable per-agent only via documented exception.
Add the offending agent connection to the connected-agent inventory (Verification & Testing Test 7) and trigger an off-cycle review.

Escalation Path

Power Platform Admin — environment users, Dataverse role assignments, application users
Entra Identity Governance Admin — PIM-for-Groups, access reviews, eligibility
Entra Global Admin — security group lifecycle, conditional access policy adjustments, P2 licensing
AI Governance Lead / Compliance Officer — exception approval, attestation sign-off, examination response
Microsoft Support — platform defects, Dataverse cmdlet behaviour on Dataverse-backed environments, PIM platform issues

Known Limitations

Limitation	Impact	Workaround
Group-to-Dataverse-team sync may take up to 60 minutes after Entra changes	New makers cannot work immediately after group assignment	Document the SLA in onboarding; pre-stage assignments before user start date
`Get/Set/Remove-AdminPowerAppEnvironmentRoleAssignment` cmdlets do not function on Dataverse-backed environments	PowerShell cannot directly assign Dataverse roles	Use PPAC for Dataverse role assignment; use the Dataverse Web API for read-only inventory
PIM-for-Groups requires Entra ID P2 per assigned user	Without P2, eligibility-based admin access is not available	License the small admin population with P2; do not attempt to substitute group-only RBAC
PIM activation maximum is bounded by tenant policy (default 8 hours, recommended ≤ 4 for Zone 3)	Long admin sessions require re-activation	Schedule maintenance windows that fit within the activation window
Column-level security can degrade query performance when over-applied	Slow lists and reports	Limit secured columns to highest-sensitivity fields; mask via formatting where possible
Custom Dataverse roles cannot separate every privilege below the entity level	Some operations bundle privileges (e.g., AppendTo)	Use multiple roles assigned via different groups for finer separation
Connected agents preview can be re-enabled at the agent or environment level by makers	Risk of cross-agent data flow re-emerging	Quarterly inventory (Test 7); pin environment-level setting and audit changes via SIEM

Back to Control 1.18 | Portal Walkthrough | PowerShell Setup | Verification Testing

Updated: April 2026 | Version: v1.4.0 | Classification: Troubleshooting