Control 1.4: Advanced Connector Policies (ACP) - PowerShell Setup
This playbook provides PowerShell automation guidance for Control 1.4.
Prerequisites
# Install Power Platform Admin modules
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser
Connect to Power Platform
# Connect to Power Platform (interactive authentication)
Add-PowerAppsAccount
# For automated/unattended scenarios, use service principal authentication:
# $appId = "<Application-Client-ID>"
# $secret = "<Client-Secret>"
# $tenantId = "<Tenant-ID>"
# Add-PowerAppsAccount -ApplicationId $appId -ClientSecret $secret -TenantID $tenantId
Enable Managed Environment
# Enable Managed Environment (required for ACP)
$EnvironmentName = "your-environment-id-here"
$GovernanceConfiguration = [pscustomobject]@{
protectionLevel = "Standard" # Use "Standard" for FSI
settings = [pscustomobject]@{
extendedSettings = @{
# FSI recommended settings
"limitSharingMode" = "excludeSharingToSecurityGroups"
"solutionCheckerEnforcement" = "block"
}
}
}
Set-AdminPowerAppEnvironmentGovernanceConfiguration `
-EnvironmentName $EnvironmentName `
-UpdatedGovernanceConfiguration $GovernanceConfiguration
Validate Managed Environment Status
# Validation: Check Managed Environment status
Get-AdminPowerAppEnvironment -EnvironmentName $EnvironmentName |
Select-Object DisplayName, EnvironmentName, GovernanceConfiguration
Write-Host "Managed Environment enabled. Configure ACP via portal." -ForegroundColor Yellow
Note: Advanced Connector Policies currently require portal configuration. PowerShell support is limited as of January 2026.
MCP Audit Logging Configuration
# MCP Interaction Logging Configuration
$mcpAuditConfig = @{
LoggingEnabled = $true
LogDestination = "Azure Log Analytics"
RetentionDays = 2190 # 6 years
EventsToCapture = @(
"MCP_Connection_Established",
"MCP_Tool_Invoked",
"MCP_Resource_Accessed",
"MCP_Error_Occurred",
"MCP_Connection_Terminated"
)
RequiredFields = @(
"Timestamp",
"UserId",
"AgentId",
"MCPServerId",
"MCPServerName",
"ToolName",
"Action",
"DataClassification",
"ResponseStatus"
)
AlertConditions = @(
@{ Condition = "Unapproved MCP Server"; Severity = "Critical" },
@{ Condition = "High-volume MCP calls"; Severity = "Warning" },
@{ Condition = "MCP Error Rate > 10%"; Severity = "Warning" }
)
}
# Example: Log MCP interaction
function Write-MCPAuditLog {
param(
[string]$UserId,
[string]$AgentId,
[string]$MCPServerId,
[string]$ToolName,
[string]$Action,
[string]$DataClassification
)
$logEntry = @{
Timestamp = Get-Date -Format "o"
UserId = $UserId
AgentId = $AgentId
MCPServerId = $MCPServerId
ToolName = $ToolName
Action = $Action
DataClassification = $DataClassification
Source = "MCP_Governance"
}
# Send to Log Analytics (implementation varies by setup)
Write-Host "MCP Audit: $($logEntry | ConvertTo-Json -Compress)"
return $logEntry
}
Evidence Collection via Automation
If your organization collects evidence via automation, capture:
- DLP policies (inventory and scope)
- Environment group membership
- Connector/connection inventory per environment
# Get all environments for evidence
Get-AdminPowerAppEnvironment |
Select-Object DisplayName, EnvironmentName, Location, EnvironmentType |
Export-Csv -Path "environment-inventory.csv" -NoTypeInformation
# Get DLP policies
Get-DlpPolicy |
Select-Object PolicyName, CreatedTime, LastModifiedTime |
Export-Csv -Path "dlp-policy-inventory.csv" -NoTypeInformation
Note: PowerShell cmdlet availability varies by module version and tenant configuration; use as evidence support, not as the primary control implementation method.
MCP Governance Policy Template
# Model Context Protocol (MCP) Governance Policy
mcp_governance_policy:
policy_version: "1.0"
effective_date: "2026-01-15"
policy_owner: "AI Governance Lead"
# Default Behavior
default_stance: "deny"
approval_required: true
# Approved MCP Servers
allowlist:
- server_id: "MCP-INT-001"
name: "Internal Document Server"
type: "internal"
data_classification: "internal"
approval_date: "2026-01-10"
owner: "IT Operations"
audit_enabled: true
# Blocked MCP Patterns
blocklist:
- pattern: "*community*"
reason: "Community MCP servers require exception approval"
- pattern: "*public*"
reason: "Public MCP servers not permitted in regulated environments"
# Zone-Specific MCP Rules
zone_rules:
zone_1:
mcp_allowed: false
rationale: "Personal productivity agents do not use MCP"
zone_2:
mcp_allowed: true
restriction: "Internal MCP servers only"
approval_required: true
zone_3:
mcp_allowed: true
restriction: "Approved internal + vetted vendor MCP only"
additional_controls:
- full_audit_logging
- data_flow_mapping
- quarterly_review
# Audit Requirements
audit_requirements:
log_all_connections: true
log_all_tool_invocations: true
retention_days: 2190 # 6 years per SEC 17a-4
export_format: "JSON"
worm_storage_required: true # For Zone 3
BYOA Policy Template
# Bring Your Own Agent (BYOA) Policy
byoa_policy:
policy_version: "1.0"
# Personal AI Tools
personal_ai:
consumer_ai_tools: "blocked" # ChatGPT, Gemini, etc.
personal_copilot: "allowed" # Microsoft 365 Copilot (licensed)
exception_process: "None - no exceptions for consumer AI"
# External AI Agents
external_agents:
default_stance: "blocked"
exception_process: "Full vendor + technical assessment"
requirements:
- vendor_risk_assessment
- technical_security_review
- data_processing_agreement
- audit_rights_in_contract
- integration_with_audit_logging
# Partner AI Integrations
partner_ai:
default_stance: "case-by-case"
requirements:
- joint_governance_agreement
- defined_data_boundaries
- incident_response_coordination
- regular_joint_reviews
# Documentation Requirements
documentation:
- architecture_diagram
- data_flow_mapping
- risk_assessment_completed
- approval_record
Complete Configuration Script
<#
.SYNOPSIS
Configures Control 1.4 - Advanced Connector Policies (ACP)
.DESCRIPTION
This script:
1. Enables Managed Environment on the target environment
2. Configures governance settings for FSI
3. Validates Managed Environment status
4. Exports environment inventory for evidence
.PARAMETER EnvironmentName
The GUID of the target Power Platform environment
.EXAMPLE
.\Configure-Control-1.4.ps1 -EnvironmentName "abc123..."
.NOTES
Last Updated: January 2026
Related Control: Control 1.4 - Advanced Connector Policies (ACP)
#>
param(
[Parameter(Mandatory=$true)]
[string]$EnvironmentName
)
try {
# Connect to Power Platform
Add-PowerAppsAccount
Write-Host "=== Configuring Control 1.4: Advanced Connector Policies ===" -ForegroundColor Cyan
# Step 1: Enable Managed Environment
Write-Host "`nStep 1: Enabling Managed Environment..." -ForegroundColor White
$GovernanceConfiguration = [pscustomobject]@{
protectionLevel = "Standard" # Use "Standard" for FSI
settings = [pscustomobject]@{
extendedSettings = @{
"limitSharingMode" = "excludeSharingToSecurityGroups"
"solutionCheckerEnforcement" = "block"
}
}
}
Set-AdminPowerAppEnvironmentGovernanceConfiguration `
-EnvironmentName $EnvironmentName `
-UpdatedGovernanceConfiguration $GovernanceConfiguration
Write-Host " [DONE] Managed Environment enabled with FSI settings" -ForegroundColor Green
# Step 2: Validate Managed Environment status
Write-Host "`nStep 2: Validating configuration..." -ForegroundColor White
$EnvStatus = Get-AdminPowerAppEnvironment -EnvironmentName $EnvironmentName
if ($EnvStatus.Properties.protectionLevel -eq "Standard") {
Write-Host " [PASS] Managed Environment is active" -ForegroundColor Green
} else {
Write-Host " [WARN] Managed Environment may not be fully configured" -ForegroundColor Yellow
}
# Step 3: Export environment inventory for evidence
Write-Host "`nStep 3: Exporting environment inventory..." -ForegroundColor White
Get-AdminPowerAppEnvironment |
Select-Object DisplayName, EnvironmentName, Location, EnvironmentType |
Export-Csv -Path "environment-inventory-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host " [DONE] Environment inventory exported" -ForegroundColor Green
# Step 4: Export DLP policies for evidence
Write-Host "`nStep 4: Exporting DLP policy inventory..." -ForegroundColor White
Get-DlpPolicy |
Select-Object PolicyName, CreatedTime, LastModifiedTime |
Export-Csv -Path "dlp-policy-inventory-$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Write-Host " [DONE] DLP policy inventory exported" -ForegroundColor Green
Write-Host "`n[PASS] Control 1.4 configuration completed successfully" -ForegroundColor Green
Write-Host "[INFO] Configure Advanced Connector Policies via the portal" -ForegroundColor Yellow
}
catch {
Write-Host "[FAIL] Error: $($_.Exception.Message)" -ForegroundColor Red
Write-Host "[INFO] Stack trace: $($_.ScriptStackTrace)" -ForegroundColor Yellow
exit 1
}
Back to Control 1.4 | Portal Walkthrough | Verification Testing | Troubleshooting
Updated: January 2026 | Version: v1.2