Portal Walkthrough: Control 1.26 - Agent File Upload and File Analysis Restrictions

Last Updated: February 2026 Portal: Copilot Studio, Power Platform Admin Center Estimated Time: 20-30 minutes

Prerequisites

Power Platform Admin or Copilot Studio Agent Author role
Access to Copilot Studio and Power Platform Admin Center
Knowledge of agent governance zone classifications
Approved file upload enablement request (Zone 2+)

Step-by-Step Configuration

Step 1: Navigate to Agent Settings in Copilot Studio

Open Copilot Studio
Select the target agent from the agent list
Click Settings (gear icon) in the top navigation
Select Security from the settings menu

Step 2: Configure File Upload Security Toggle

Locate the File Upload section under Security settings
Review the current toggle state (enabled or disabled)
Set the toggle based on the agent's governance zone:
Zone 1 agents: File upload may remain enabled (Microsoft defaults)
Zone 2 agents: Disable file upload unless an approved enablement request exists
Zone 3 agents: Disable file upload; enable only with formal risk assessment and approval documentation
Click Save to apply changes

Note: When file upload is enabled, agents can accept up to 20 files as knowledge sources. Supported file types include docx, pptx, xlsx, pdf, txt, and csv.

Step 3: Review File Size Limits

Within the File Upload security settings, review the applicable file size limits:
pptx, pdf, docx: up to 512MB per file
txt, csv, xls, xlsx, ppt, doc: up to 150MB per file
Document any environment-specific size restrictions that apply
For Zone 3 agents, verify whether reduced file size limits have been configured as part of the risk assessment

Step 4: Verify Sensitivity Label Configuration

Navigate to the agent's Knowledge section
If file upload is enabled, upload a test file with a sensitivity label applied
Verify the agent displays the inherited sensitivity label
Confirm the agent inherits the most restrictive label when multiple files are uploaded

Important: Sensitivity labels are auto-applied to uploaded files. The agent inherits the most restrictive label from its file knowledge sources, which may restrict the agent's ability to share responses with certain users.

Step 5: Review SharePoint Embedded Container

Navigate to Power Platform Admin Center
Select Environments from the left navigation
Select the environment hosting the agent
Review the SharePoint Embedded (SPE) container configuration
Verify access controls and retention policies are applied to the SPE container
Document the container ID and associated environment for governance records

Step 6: Verify DLP Policy Coverage (Zone 2+)

Navigate to Microsoft Purview Compliance Portal
Select Data Loss Prevention → Policies
Verify a DLP policy exists that covers Power Platform connectors in the agent's environment
Confirm the policy is in Enforce mode
For Zone 3 agents, verify content scanning rules are active and scoped to file upload data

Configuration by Governance Level

Setting	Baseline (Zone 1)	Recommended (Zone 2)	Regulated (Zone 3)
File upload toggle default	Allowed	Disabled until approved	Default deny
Approval required	No	Documented approval	Formal risk assessment
Sensitivity labels	Recommended	Required	Required with audit
DLP policy coverage	Not required	Required	Required with scanning
SPE container review	Quarterly	Monthly	Continuous
Agent inventory tracking	Recommended	Required	Required
Review frequency	Quarterly	Monthly	Weekly
Exception process	Informal	Documented	Documented with approval

Validation

After completing these steps, verify:

File upload toggle is set to the correct state for the agent's governance zone
Approval documentation exists for Zone 2 and Zone 3 agents with file upload enabled
Sensitivity labels are being applied to uploaded files
DLP policies cover agents with file upload enabled (Zone 2+)
SPE container access controls and retention policies are configured
Agent is recorded in the file upload inventory

Back to Control 1.26 | PowerShell Setup | Verification Testing | Troubleshooting