Skip to content

Verification & Testing: Control 1.28 - Policy-Based Agent Publishing Restrictions

Last Updated: February 2026 Test Environment: Pre-production/Test Estimated Time: 30-40 minutes

Overview

This playbook provides test cases and verification procedures to confirm that policy-based publishing restrictions are functioning correctly across all governance zones.

Prerequisites

  • DLP policies configured and assigned to environments
  • Test environments available for each zone (Zone 1, Zone 2, Zone 3)
  • Test agent available for publishing experiments
  • Approval workflows configured (Zone 2+ environments)
  • Test user accounts with Agent Author and Power Platform Admin roles

Test Case 1: DLP Enforcement - Block Publishing with Violations

Objective: Verify that agents with DLP violations cannot be published

Test Steps

  1. Open Copilot Studio and navigate to a Zone 3 environment
  2. Create a new test agent named "Test Agent - DLP Violation"
  3. Add a topic that uses a blocked connector:
  4. Create a new topic called "Test HTTP Connector"
  5. Add an action node using HTTP connector (blocked in Zone 3)
  6. Configure the HTTP action to call an external API
  7. Save the agent
  8. Attempt to publish the agent by clicking Publish
  9. Observe the security scan results

Expected Results

  • Security scan detects DLP violation for HTTP connector
  • Publishing is blocked with red error indicator
  • Error message displays: "This agent cannot be published due to DLP policy violations"
  • Details panel lists HTTP connector as the violation
  • Agent remains in draft status

Evidence Collection

  • Screenshot of security scan showing DLP violation
  • Screenshot of blocked publish button
  • Export DLP policy assignment showing Zone 3 restrictions

Test Case 2: DLP Enforcement - Allow Publishing with Compliant Configuration

Objective: Verify that agents compliant with DLP policies can be published

Test Steps

  1. Open Copilot Studio and navigate to Zone 3 environment
  2. Create a new test agent named "Test Agent - DLP Compliant"
  3. Add a topic that uses only approved connectors:
  4. Create a topic called "Test SharePoint Connector"
  5. Add an action node using SharePoint Online connector (allowed in Zone 3)
  6. Configure the SharePoint action to read from a document library
  7. Save the agent
  8. Attempt to publish the agent by clicking Publish
  9. Observe the security scan results

Expected Results

  • Security scan passes with green checkmark
  • No DLP violations detected
  • Publishing proceeds to approval workflow (if Zone 2+)
  • Agent enters "Pending Approval" or "Published" status

Evidence Collection

  • Screenshot of security scan showing no violations
  • Screenshot of successful publish (or pending approval)
  • Purview audit log entry for agent publishing event

Test Case 3: Blocked Channel Detection

Objective: Verify that agents configured with prohibited channels are blocked from publishing

Test Steps

  1. Open Copilot Studio and navigate to Zone 2 or Zone 3 environment
  2. Create a new test agent named "Test Agent - Blocked Channel"
  3. Configure the agent to use a prohibited channel:
  4. Navigate to SettingsChannels
  5. Enable "Facebook" or "Telegram" channel
  6. Save channel configuration
  7. Attempt to publish the agent by clicking Publish
  8. Observe the security scan results

Expected Results

  • Security scan detects blocked channel configuration
  • Publishing is blocked with red error indicator
  • Error message displays: "This agent uses prohibited channels"
  • Details panel lists Facebook or Telegram as the violation
  • Agent cannot be published until channel is removed

Evidence Collection

  • Screenshot of channel configuration with Facebook/Telegram enabled
  • Screenshot of security scan showing blocked channel violation
  • Screenshot of blocked publish button

Test Case 4: Approval Workflow - Single Approver (Zone 2)

Objective: Verify that Zone 2 environments require approval before publishing

Test Steps

  1. Open Copilot Studio and navigate to a Zone 2 environment
  2. Create a compliant test agent named "Test Agent - Zone 2 Approval"
  3. Configure agent with approved connectors only (SharePoint, Teams)
  4. Attempt to publish the agent:
  5. Click Publish
  6. Verify security scan passes
  7. Provide publishing justification: "Test approval workflow"
  8. Click Submit for approval
  9. As Power Platform Admin, review the pending approval:
  10. Open Power Platform Admin Center → Pending Approvals
  11. Review agent publishing request
  12. Approve the request with comment: "Approved for testing"
  13. Verify agent publishing completes

Expected Results

  • Agent enters "Pending Approval" status after submission
  • Agent author receives notification that approval is required
  • Power Platform Admin receives approval request notification
  • After approval, agent publishing completes successfully
  • Agent enters "Published" status
  • Approval event is logged in Purview audit log

Evidence Collection

  • Screenshot of "Submit for approval" screen with justification
  • Screenshot of pending approval in Power Platform Admin Center
  • Screenshot of approval action with admin comment
  • Purview audit log entry showing approval event

Test Case 5: Approval Workflow - Rejection (Zone 2)

Objective: Verify that rejected publishing requests prevent agent deployment

Test Steps

  1. Open Copilot Studio and navigate to Zone 2 environment
  2. Create a test agent named "Test Agent - Rejection Test"
  3. Submit the agent for publishing approval with justification: "Testing rejection workflow"
  4. As Power Platform Admin, reject the publishing request:
  5. Open Power Platform Admin Center → Pending Approvals
  6. Review agent publishing request
  7. Reject the request with comment: "Insufficient testing evidence"
  8. Verify agent remains in draft status

Expected Results

  • Power Platform Admin successfully rejects the request
  • Agent author receives notification that request was rejected
  • Rejection comment is visible to agent author
  • Agent remains in "Draft" status
  • Agent is not deployed to production
  • Rejection event is logged in Purview audit log

Evidence Collection

  • Screenshot of rejection action with admin comment
  • Screenshot of rejection notification to agent author
  • Purview audit log entry showing rejection event

Test Case 6: Environment Promotion Pipeline (Zone 3)

Objective: Verify that Zone 3 agents must be promoted through dev→test→prod pipeline

Test Steps

  1. Verify separate environments exist:
  2. Development environment (e.g., "Dev-Zone3")
  3. Test environment (e.g., "UAT-Zone3")
  4. Production environment (e.g., "Prod-Zone3")
  5. Create a test agent in the Development environment
  6. Publish the agent in Development (should succeed with approval)
  7. Attempt to export/import the agent to Production environment (bypassing Test):
  8. Export the agent from Development
  9. Import the agent to Production
  10. Attempt to publish in Production
  11. Observe the promotion enforcement

Expected Results

  • Agent publishes successfully in Development after approval
  • Agent can be promoted from Development to Test
  • Agent cannot be published in Production without Test environment approval
  • Promotion pipeline enforcement prevents bypassing Test environment
  • Audit logs capture each promotion step

Evidence Collection

  • Screenshot of agent published in Development environment
  • Screenshot of agent promoted to Test environment
  • Screenshot of blocked direct promotion to Production
  • Purview audit log showing environment promotion chain

Test Case 7: DLP Update Blocking for Published Agents

Objective: Verify that published agents are blocked from updates if DLP violations are introduced

Test Steps

  1. Publish a compliant agent in Zone 3 environment (e.g., "Test Agent - Update Block")
  2. Verify the agent is successfully published and available
  3. Modify the DLP policy to block a connector the agent uses:
  4. In Power Platform Admin Center, edit the Zone 3 DLP policy
  5. Move SharePoint connector from "Business" to "Blocked"
  6. Save the DLP policy
  7. Attempt to update the published agent:
  8. Make a minor change to the agent (e.g., update a topic message)
  9. Click Publish to update the agent
  10. Observe the publishing enforcement

Expected Results

  • Agent was initially published successfully
  • After DLP policy change, agent is flagged as non-compliant
  • Attempting to update the agent triggers security scan
  • Security scan detects DLP violation (SharePoint connector now blocked)
  • Publishing update is blocked with error message
  • Agent remains in previous published version until violation is resolved

Evidence Collection

  • Screenshot of agent published successfully before DLP change
  • Screenshot of DLP policy change (SharePoint moved to Blocked)
  • Screenshot of blocked update attempt with DLP violation error
  • Screenshot of agent status showing "Published (Non-Compliant)"

Test Case 8: Security Scan Warning Override (Zone 1 Only)

Objective: Verify that Zone 1 environments allow publishing with warnings (but not errors)

Test Steps

  1. Open Copilot Studio and navigate to Zone 1 environment
  2. Create a test agent that triggers a security warning (not error):
  3. Use a connector that generates a warning (e.g., HTTP with untrusted certificate)
  4. Configure the agent to use the connector
  5. Attempt to publish the agent:
  6. Click Publish
  7. Observe security scan results showing yellow warning
  8. Review warning details
  9. Acknowledge the warning and proceed with publishing
  10. Verify the agent publishes despite the warning

Expected Results

  • Security scan displays yellow warning indicator
  • Warning details explain the security concern
  • Zone 1 environment allows publishing with acknowledgment
  • Agent author must explicitly acknowledge warning to proceed
  • Agent publishes successfully after acknowledgment
  • Warning is logged in audit trail

Evidence Collection

  • Screenshot of security scan showing yellow warning
  • Screenshot of warning acknowledgment dialog
  • Screenshot of successful publishing despite warning
  • Purview audit log entry showing warning acknowledged

Test Case 9: Audit Log Capture

Objective: Verify that all publishing events are captured in Microsoft Purview audit logs

Test Steps

  1. Perform several publishing actions across different zones:
  2. Publish an agent in Zone 1 (successful)
  3. Submit an agent for approval in Zone 2
  4. Reject a publishing request in Zone 2
  5. Approve a publishing request in Zone 3
  6. Open Microsoft Purview Compliance Portal → Audit
  7. Search for publishing-related events:
  8. Keywords: "Chatbot", "Publish", "Approval"
  9. Activities: "Create chatbot", "Update chatbot", "Approve request", "Reject request"
  10. Date range: Last 24 hours
  11. Review the audit log results

Expected Results

  • All publishing events are captured in Purview audit logs
  • Audit entries include timestamp, user, agent name, environment, and action
  • Approval and rejection events include approver comments
  • DLP violation events are logged with connector details
  • Security scan results are logged with pass/fail status
  • Audit logs are retained per regulatory requirements (7 years for FSI)

Evidence Collection

  • Screenshot of Purview audit search results showing publishing events
  • Export of audit log entries to CSV for compliance records
  • Sample audit log entry showing detailed event metadata

Test Case 10: PowerShell Compliance Report

Objective: Verify that PowerShell automation scripts accurately report publishing compliance

Test Steps

  1. Run the PowerShell compliance audit script: 
    .\Audit-AgentPublishingCompliance.ps1
  2. Review the compliance report output:
  3. Total agents count
  4. Compliant agents count
  5. Non-compliant agents count
  6. List of non-compliant agents with violations
  7. Manually verify several agents in the report:
  8. Check DLP status in Power Platform Admin Center
  9. Check channel configuration in Copilot Studio
  10. Confirm approval status matches report

Expected Results

  • PowerShell script executes without errors
  • Report displays accurate agent counts
  • Non-compliant agents are correctly identified with violations
  • DLP violations match manual verification
  • Blocked channels match manual verification
  • Report exports to CSV successfully

Evidence Collection

  • Screenshot of PowerShell compliance report output
  • CSV export of compliance report
  • Manual verification screenshots for sample agents

Compliance Verification Checklist

After completing all test cases, verify the following:

  • DLP policies are configured for all three zones with appropriate connector restrictions
  • DLP violations prevent agent publishing in all zones
  • Published agents are blocked from updates if DLP violations exist (February 2025 enforcement)
  • Security scans detect blocked channels and configuration issues
  • Zone 1 allows publishing with warnings (after acknowledgment)
  • Zone 2+ requires approval before publishing
  • Approval workflow captures approver identity, timestamp, and comments
  • Rejection workflow prevents agent deployment
  • Zone 3 enforces environment promotion pipeline (dev→test→prod)
  • All publishing events are logged in Microsoft Purview
  • Audit logs include DLP violations, approvals, rejections, and security scan results
  • PowerShell automation scripts provide accurate compliance reporting

Evidence Package

Compile the following evidence for compliance documentation:

  1. DLP Policy Configuration:
  2. Export of Zone 1, Zone 2, and Zone 3 DLP policies
  3. Connector classification listings (Business/Non-Business/Blocked)

  4. Environment assignment records

  5. Security Scan Results:

  6. Screenshots of passed scans (compliant agents)
  7. Screenshots of failed scans (DLP violations, blocked channels)

  8. Security scan reports for sample agents

  9. Approval Workflow Documentation:

  10. Screenshots of approval requests
  11. Screenshots of approved requests with admin comments
  12. Screenshots of rejected requests with feedback

  13. Approval workflow configuration settings

  14. Audit Logs:

  15. CSV export of publishing events from Purview
  16. Sample audit log entries with detailed metadata

  17. Audit log retention policy documentation

  18. Compliance Reports:

  19. PowerShell compliance report CSV export
  20. Summary of compliant vs. non-compliant agents
  21. Remediation plan for non-compliant agents

Ongoing Monitoring

Establish ongoing monitoring for publishing compliance:

  • Weekly: Run PowerShell compliance audit script; review non-compliant agents
  • Monthly: Review approval workflow metrics (requests, approvals, rejections, SLA)
  • Quarterly: Audit DLP policy effectiveness; update connector restrictions as needed
  • Annually: Review and update publishing governance policies based on regulatory changes

Attestation Statement Template

## Control 1.28 Attestation - Policy-Based Agent Publishing Restrictions

**Organization:** [Organization Name]
**Control Owner:** [Name/Role]
**Date:** [Date]

I attest that:

1. DLP policies are configured and enforced per governance zone:
   - Zone 1 environments: [Count] — baseline DLP policies applied
   - Zone 2 environments: [Count] — restrictive DLP policies with approval workflow
   - Zone 3 environments: [Count] — strict DLP policies with environment promotion pipeline
2. Publishing restrictions are actively enforced:
   - DLP violations prevent agent publishing: [Yes/No]
   - Security scans detect blocked channels: [Yes/No]
   - Published agents blocked from updates on DLP violation: [Yes/No]
3. Approval workflows are operational:
   - Zone 2 single-approver workflow active: [Yes/No]
   - Zone 3 multi-approver workflow with promotion pipeline active: [Yes/No]
   - Rejection workflow prevents deployment: [Yes/No]
4. Audit logging is configured:
   - Publishing events captured in Microsoft Purview: [Yes/No]
   - Approval/rejection events logged with approver identity: [Yes/No]
   - Audit log retention meets regulatory requirements (7 years): [Yes/No]
5. PowerShell compliance reporting is operational:
   - Automated compliance audit script runs without errors: [Yes/No]
   - Non-compliant agents are accurately identified: [Yes/No]

**Signature:** ______________________
**Date:** ______________________

Back to Control 1.28 | Portal Walkthrough | PowerShell Setup | Troubleshooting