Troubleshooting: Control 2.24 - Agent Feature Enablement and Restriction Governance

Last Updated: February 2026

Common Issues and Resolutions

---

Issue 1: PPAC Copilot Governance Page Not Available

Symptoms: - Cannot find "Copilot" or "Governance" section in Power Platform Admin Center - Left navigation does not show Copilot governance option - Features menu does not include Copilot Studio controls

Possible Causes: 1. Feature has not rolled out to your tenant yet 2. Insufficient permissions (not Power Platform Admin or Entra Global Admin) 3. Tenant licensing does not include Copilot Studio features

Resolution Steps:

1. Check Feature Availability:
2. Navigate to Microsoft 365 Message Center (admin.microsoft.com → Health → Message center)
3. Search for "Copilot governance" or "Power Platform governance"
4. Verify rollout status and expected availability date for your tenant region

5. Some governance features are rolling out Q1-Q2 2026; your tenant may not have access yet

6. Verify Permissions:

   # Check your admin roles
   Connect-MgGraph -Scopes "User.Read.All", "RoleManagement.Read.Directory"
   $userId = (Get-MgContext).Account
   Get-MgUserMemberOf -UserId $userId | Where-Object {$_.AdditionalProperties.'@odata.type' -like '*DirectoryRole*'}
   

7. Confirm you have "Power Platform Admin" or "Entra Global Admin" role

8. If missing, request role assignment from Entra Global Admin

9. Verify Licensing:

10. Check tenant has appropriate Power Platform licensing (Power Apps Premium or Copilot Studio licenses)
11. Navigate to Microsoft 365 Admin Center → Billing → Licenses

12. Confirm "Power Apps Premium" or "Microsoft Copilot Studio" licenses are assigned

13. Alternative Configuration Paths: If PPAC Copilot governance page is unavailable, use these alternative methods:

14. Settings → Features in PPAC: Some feature toggles are available here
15. DLP policies: Use DLP to enforce connector restrictions (Control 1.4)
16. Environment security roles: Restrict agent author permissions via security roles
17. Microsoft Support ticket: Request assistance enabling specific governance features

Workaround: Use DLP policies as the primary enforcement mechanism until PPAC Copilot governance page becomes available. Document this as a compensating control.

---

Issue 2: GA Feature Cannot Be Disabled

Symptoms: - Feature toggle in PPAC is grayed out (cannot be changed) - Feature is marked as "General Availability" (GA) with no disable option - Documentation states feature can be disabled, but toggle is missing - Feature continues to appear for agent authors despite attempts to disable

Possible Causes: 1. Microsoft has marked the feature as "always on" for GA tenants 2. Feature requires Microsoft Support intervention to disable (intentional design) 3. Feature is disabled through a different configuration path 4. Feature visibility is controlled by licensing, not toggles

Resolution Steps:

1. Check Feature Documentation:
2. Review Microsoft Learn documentation for the specific feature
3. Look for sections titled "How to disable" or "Opt-out"

4. Some GA features have specific requirements for disablement (e.g., must disable in all environments first, then tenant-wide)

5. Contact Microsoft Support:

6. Open a Microsoft Support ticket (portal.azure.com → Help + support)
7. Reference the specific feature name and GA announcement
8. Request confirmation on whether feature can be disabled and process to do so

9. Example: "GA feature 'Generative Actions' cannot be disabled in PPAC; request assistance or confirmation this is by design"

10. Implement Compensating Controls: If feature cannot be disabled at platform level, implement runtime controls:

11. DLP policies: Block connectors used by the feature (e.g., block AI Builder connector to prevent generative actions)
12. Environment security roles: Restrict "Create" permissions for agents in Zone 3 environments
13. Monitoring and alerts: Use audit logs to detect unauthorized feature usage; alert on violations
14. Documented policy: Create organizational policy prohibiting use of feature; include in agent author training

15. Code reviews: Manually review agents before production deployment to verify prohibited features are not used

16. Document as Control Gap:

17. Add entry to control gap register: "Feature X (GA) cannot be disabled at platform level"
18. Document compensating controls implemented
19. Include in next SOC 2 / ISO audit as "limitation of technology; mitigated by compensating controls"
20. Example entry:

    Control Gap: Generative Actions cannot be disabled at tenant level (GA feature)
    Compensating Controls:
    - DLP policy blocks AI Builder connector in Zone 3 environments
    - Manual code review required before Zone 3 agent deployment
    - Monitoring alert triggers if generative action is detected in Zone 3 agent
    - Documented policy prohibiting generative actions in Zone 3
    Risk Level: Medium (acceptable with compensating controls)
    Next Review: [Date]
    

Workaround: Accept feature is enabled at platform level; enforce restrictions through DLP, security roles, and procedural controls.

---

Issue 3: Feature Catalog Table Creation Fails

Symptoms: - PowerShell script Deploy-FeatureCatalog.ps1 fails with error - Error message: "Access Denied" or "Insufficient Permissions" - Dataverse table creation times out or hangs

Possible Causes: 1. Insufficient permissions in Dataverse environment 2. Environment is managed (production) and requires approval for schema changes 3. Dataverse capacity is exhausted 4. API throttling limits exceeded

Resolution Steps:

1. Check Dataverse Permissions:
2. Verify you have "System Administrator" security role in the target Dataverse environment
3. Navigate to Power Platform Admin Center → Environments → [Environment] → Settings → Users + permissions → Security roles
4. Confirm your user account is listed with System Administrator role

5. If missing, assign the role through Power Platform Admin Center

6. Use Default Environment:

7. Create feature catalog table in the default environment (not a production Zone 3 environment)
8. Default environment typically has more permissive permissions

9. After table is created, export as solution and import to other environments if needed

10. Manual Table Creation (Alternative to PowerShell):

11. Open Power Apps Maker Portal (make.powerapps.com)
12. Select the target environment
13. Navigate to Tables → + New table → Start from blank
14. Manually create table with name: fsi_featurecatalog
15. Add columns as specified in Deploy-FeatureCatalog.ps1 script comments

16. This avoids API calls and permission issues

17. Use Power Platform CLI (Alternative Method):

    # Install Power Platform CLI if not already installed
    dotnet tool install --global Microsoft.PowerApps.CLI.Tool
    
    # Authenticate to environment
    pac auth create --url https://contoso.crm.dynamics.com
    
    # Create table
    pac table create --name fsi_featurecatalog --display-name "FSI Feature Catalog" --description "Tracks feature governance"
    
    # Add columns (example for one column)
    pac column create --table-name fsi_featurecatalog --name fsi_featurename --display-name "Feature Name" --type text --required
    

18. Check Capacity and Throttling:

19. Navigate to Power Platform Admin Center → Resources → Capacity
20. Verify Dataverse database capacity is not exhausted (must have available storage)
21. If throttling is occurring, wait 1 hour and retry (API limits reset hourly)

Workaround: Use SharePoint list instead of Dataverse table for feature catalog (simpler, no Dataverse permissions required). See Portal Walkthrough Step 8 Option B.

---

Issue 4: DLP Policy Not Blocking Prohibited Connector

Symptoms: - HTTP connector (or other high-risk connector) is in "Blocked" group in DLP policy - Agent authors can still add the connector to agents in restricted environments - Agent with blocked connector saves successfully without errors

Possible Causes: 1. DLP policy is not applied to the target environment 2. Environment is excluded from DLP policy scope 3. DLP policy has lower priority than another policy (multiple policies with conflicts) 4. Connector classification has not synchronized yet (can take up to 2 hours) 5. User has "DLP exemption" role or permission

Resolution Steps:

1. Verify DLP Policy Scope:
2. In Power Platform Admin Center, navigate to Data policies → [Select Policy]
3. Click Edit policy → Review Environments tab
4. Confirm the target environment is included in policy scope

5. If not included, add the environment to policy scope

6. Check for Multiple DLP Policies:

7. List all DLP policies in tenant:

   Add-PowerAppsAccount
   Get-AdminDlpPolicy | Select-Object DisplayName, EnvironmentType, PolicyName
   

8. If multiple policies apply to same environment, resolve conflicts:
   • AllEnvironments policy applies to all environments (cannot be overridden)
   • ExceptEnvironments policy applies to all except specified environments
   • OnlyEnvironments policy applies only to specified environments
9. Highest priority: OnlyEnvironments > ExceptEnvironments > AllEnvironments

10. Ensure your Zone 3 policy has correct scope and highest priority

11. Wait for Policy Synchronization:

12. DLP policy changes can take up to 2 hours to fully propagate
13. After changing connector classification, wait 2 hours before testing

14. Clear browser cache and sign out/in to Copilot Studio to force policy refresh

15. Check User Exemptions:

16. Some users may have "DLP Exemption" permission (rare, but possible)
17. Verify user security role in environment:

    # Connect to Dataverse
    Import-Module Microsoft.Xrm.Data.PowerShell
    $conn = Connect-CrmOnline -ServerUrl "https://contoso.crm.dynamics.com" -ForceOAuth
    
    # Query user security roles
    Get-CrmRecords -conn $conn -EntityLogicalName systemuserroles -FilterAttribute systemuserid -FilterOperator eq -FilterValue [UserGUID]
    

18. If user has "System Administrator" or custom role with "Override DLP" privilege, they bypass DLP policies

19. Remove override privilege or use service accounts without admin roles for testing

20. Test DLP Enforcement Directly:

    # Use Test-DLPEnforcement.ps1 script from PowerShell Setup playbook
    .\Test-DLPEnforcement.ps1
    

21. Script will report if DLP policies are correctly configured

22. If script shows connector as "Allowed" but policy shows "Blocked", there is a synchronization or configuration issue

23. Escalate to Microsoft Support:

24. If policy is correctly configured but not enforcing, contact Microsoft Support
25. Provide: Policy name, environment ID, connector name, screenshots of policy configuration, test results showing connector is not blocked

Workaround: Implement procedural control: Manual code review of all agents before production deployment to verify prohibited connectors are not used.

---

Issue 5: Feature Catalog Shows Expiration Alerts but Feature Still Works

Symptoms: - PowerShell report Get-FeatureComplianceReport.ps1 shows feature with expired exception (Expiration Date in past) - Feature is still enabled and functional in environment - No automatic disablement occurred

Possible Causes: 1. Feature expiration is not automatically enforced by platform (expected behavior) 2. Manual disablement process was not followed 3. Expiration date is for tracking purposes only (not runtime enforcement)

Resolution Steps:

1. Understand Expiration Date Purpose:
2. Important: Expiration Date in feature catalog is for governance tracking only, not automatic enforcement
3. Microsoft Power Platform does not automatically disable features based on custom Dataverse table data

4. Expiration alerts are intended to trigger manual review and action

5. Manual Feature Disablement Process: When a feature expires:

6. AI Governance Lead or Compliance Officer reviews the expiration alert
7. Decision: Renew exception (extend expiration date and update change ticket) OR Revoke access (disable feature)
8. If revoking:
   1. Update PPAC feature toggle to disable feature in environment
   2. Update DLP policy to block related connectors (if applicable)
   3. Notify affected users that feature access has expired
   4. Update feature catalog: Set Zone Status to "Prohibited", clear Expiration Date, add note to Justification field

9. If renewing:

   1. Submit new change request for feature enablement extension
   2. Obtain required approvals (Power Platform Admin, AI Governance Lead, Compliance Officer for Zone 3)
   3. Update feature catalog: New Expiration Date, new Change Ticket reference, updated Justification

10. Implement Automated Expiration Workflow (Optional):

11. Create Power Automate flow triggered by Expiration Date in feature catalog
12. Flow logic:
    • Trigger: Daily schedule (recurrence)
    • Condition: Check if any features have Expiration Date < Today
    • Action 1: Send email alert to AI Governance Lead with list of expired features
    • Action 2: Create task in change management system: "Review expired feature: [Feature Name]"
    • Action 3: (Optional) Auto-disable feature by calling Power Platform Admin API (requires API connector and custom logic)

13. Deploy flow to default environment

14. Document Expiration Process:

15. Add expiration handling procedure to governance documentation:

    Feature Exception Expiration Process:
    1. Monthly: Generate feature compliance report (includes expiration alerts)
    2. AI Governance Lead reviews alerts for features expiring within 30 days
    3. For each expiring feature:
       a. Contact business owner: "Feature [X] expires on [Date]. Renew or revoke?"
       b. If renew: Submit change request for extension (requires re-approval)
       c. If revoke: Update PPAC and DLP to disable feature; notify users
    4. Update feature catalog with decision
    5. Report expiration actions to Compliance Officer monthly
    

Workaround: Manual review of expiration alerts monthly. No automatic enforcement is expected or available in Power Platform.

---

Issue 6: Agent Author Cannot Request Feature Enablement

Symptoms: - Agent author wants to use a restricted feature but does not know how to request approval - No clear process communicated to agent authors - Requests sent via email to admins are informal and lack required documentation

Possible Causes: 1. Change management process not documented or communicated 2. Self-service portal for feature requests not available 3. Agent authors lack training on governance procedures

Resolution Steps:

1. Document Feature Request Process:
2. Create a one-page guide: "How to Request Copilot Studio Feature Enablement"
3. Include:
   • Link to change management system (ServiceNow, Jira, SharePoint form)
   • Step-by-step instructions with screenshots
   • List of required information (Feature Name, Environment, Justification, Risk Assessment)
   • Expected approval timeline (e.g., 3-5 business days for Zone 2, 5-10 days for Zone 3)
   • Contact information for questions (AI Governance Lead email or Teams channel)

4. Publish guide to agent author knowledge base (SharePoint, Confluence, internal wiki)

5. Create Self-Service Request Form:

6. Build a Power Apps form or SharePoint form for feature requests:
   • Form fields map directly to change management template
   • Dropdown for Feature Name (populated from feature catalog)
   • Dropdown for Environment (populated from Power Platform environment list)
   • Multi-line text for Business Justification
   • File upload for Risk Assessment document (Zone 3 only)

7. Form submission triggers Power Automate flow:

   • Flow creates change request ticket in change management system
   • Flow sends email to Power Platform Admin and AI Governance Lead
   • Flow sends confirmation email to requester with ticket number

8. Communicate Process to Agent Authors:

9. Announce process in organization-wide communication (email, Teams, Yammer)
10. Include link to request form and documentation guide
11. Offer office hours or Q&A session for questions

12. Add feature request process to agent author onboarding training

13. Embed Request Link in Error Messages:

14. If possible, customize error messages when agent authors attempt to use restricted features
15. Example: "This feature requires approval. Submit a request here: [Link to Form]"

16. Reduces friction and confusion

17. Track and Report Request Metrics:

18. Monthly report: Number of feature requests submitted, approved, rejected, pending
19. Average approval time per zone
20. Most requested features (inform future zone policy adjustments)
21. Share metrics with leadership to demonstrate governance process effectiveness

Workaround: Provide AI Governance Lead email address as interim contact method until formal process is documented. Manually process requests via email until self-service form is available.

---

Issue 7: Zone Classification Is Unclear for Environment

Symptoms: - Environment exists but governance zone (Zone 1/2/3) is not documented or clear - Conflicting information: Environment name suggests Zone 2, but usage is Zone 3 - No metadata or tags on environment indicating zone

Possible Causes: 1. Environment naming convention does not include zone classification 2. Environment metadata tags not implemented 3. Environment usage changed over time (started as Zone 1, now used for Zone 3 purposes)

Resolution Steps:

1. Establish Environment Naming Convention:
2. Define naming convention that includes zone classification:
   • Example: PROD-Z3-CustomerService (Zone 3 Production for Customer Service)
   • Example: DEV-Z1-PersonalApps (Zone 1 Development for Personal Apps)
3. Document naming convention in environment management policy

4. Rename existing environments to match convention (if possible; consider dependencies)

5. Implement Environment Metadata Tags:

6. Use Power Platform environment properties to tag zone classification
7. Set custom environment variables:

   # Example: Set environment variable indicating zone
   # This is a custom solution; Power Platform does not have native zone tagging
   # Alternative: Use environment description field to include zone
   
   Set-AdminPowerAppEnvironment -EnvironmentName [EnvironmentGUID] -EnvironmentDescription "Zone 3 (Enterprise) - Customer Support"
   

8. Alternative: Maintain separate inventory (SharePoint list or Dataverse table) mapping Environment ID to Zone

   • Columns: EnvironmentName, EnvironmentID, Zone (Choice: Zone 1/2/3), BusinessOwner, ComplianceContact

9. Create Environment Registry:

10. Build Dataverse table or SharePoint list: fsi_environmentregistry
11. Fields:
    • EnvironmentName (text)
    • EnvironmentID (text)
    • Zone (choice: Zone 1, Zone 2, Zone 3)
    • EnvironmentType (choice: Production, Development, Test)
    • BusinessOwner (lookup to user)
    • ComplianceContact (lookup to user)
    • DataClassification (choice: Public, Internal, Confidential, Restricted)
    • Notes (multi-line text)
12. Populate with all existing environments

13. Reference this registry in scripts and documentation

14. Conduct Environment Classification Workshop:

15. Involve: Power Platform Admin, Business Owners, Compliance Officer, AI Governance Lead
16. Review each environment:
    • What agents are deployed here?
    • Who are the users (internal employees, external customers)?
    • What data is accessed?
    • What are regulatory requirements?
17. Assign zone classification based on criteria:
    • Zone 1: Personal productivity, no regulated data, internal users only
    • Zone 2: Team collaboration, internal users, organizational data (not customer financial data)
    • Zone 3: Customer-facing, regulated data, requires highest governance

18. Document decisions in environment registry

19. Validate Zone Classification Against Control 2.2:

20. Control 2.2 (Environment Groups and Tier Classification) defines zone criteria
21. Review Control 2.2 documentation and align environment classifications
22. Ensure feature restrictions in 2.24 align with environment tiers in 2.2

Workaround: Use environment description field (visible in PPAC) to manually document zone classification until formal tagging or registry is implemented.

---

Issue 8: PowerShell Scripts Fail with Authentication Errors

Symptoms: - PowerShell script execution fails immediately with "Authentication failed" or "Access denied" - Connect-CrmOnline or Add-PowerAppsAccount prompts for credentials but then fails - Multi-factor authentication (MFA) challenges cause scripts to hang or timeout

Possible Causes: 1. Account does not have required permissions 2. MFA is required but not supported by authentication method 3. Modern authentication is disabled 4. PowerShell modules are outdated

Resolution Steps:

1. Update PowerShell Modules:

   # Update to latest versions
   Update-Module Microsoft.PowerApps.Administration.PowerShell -Force
   Update-Module Microsoft.Xrm.Data.PowerShell -Force
   Update-Module Microsoft.PowerApps.PowerShell -Force
   

2. Restart PowerShell console after updates

3. Verify versions:

   Get-Module Microsoft.PowerApps.Administration.PowerShell -ListAvailable
   Get-Module Microsoft.Xrm.Data.PowerShell -ListAvailable
   

4. Use Interactive Authentication with MFA:

5. Ensure -ForceOAuth parameter is used in connection commands:

   Connect-CrmOnline -ServerUrl "https://contoso.crm.dynamics.com" -ForceOAuth
   

6. -ForceOAuth opens a browser window for interactive authentication supporting MFA

7. If browser does not open, check if popup blockers are enabled

8. Use Service Principal (For Automation):

9. For unattended scripts (Azure Automation, scheduled tasks), use service principal authentication:

   # Register app in Entra ID and grant Power Platform API permissions
   $appId = "[Application ID]"
   $clientSecret = "[Client Secret]"
   $tenantId = "[Tenant ID]"
   
   Add-PowerAppsAccount -ApplicationId $appId -ClientSecret $clientSecret -TenantID $tenantId
   

10. Grant service principal "Power Platform Administrator" role

11. Document service principal credentials in secure vault (Azure Key Vault)

12. Check Conditional Access Policies:

13. Entra Conditional Access policies may block authentication from certain locations or devices
14. Navigate to Entra Admin Center → Protection → Conditional Access
15. Review policies that apply to Power Platform APIs or admin accounts
16. If policy requires compliant device or specific location, run script from compliant device/location

17. Alternative: Exclude service principal from Conditional Access policies (for automation)

18. Enable Modern Authentication:

19. Verify modern authentication is enabled in tenant:
20. Navigate to Microsoft 365 Admin Center → Settings → Org settings → Modern authentication
21. Ensure "Enable modern authentication" is toggled on

22. If disabled, enable and wait 24 hours for propagation

23. Check Account Permissions:

    # Verify you have admin roles
    Connect-MgGraph
    Get-MgUserMemberOf -UserId (Get-MgContext).Account | Where-Object {$_.AdditionalProperties.'@odata.type' -like '*DirectoryRole*'}
    

24. Confirm "Power Platform Administrator" or "Dynamics 365 Administrator" role
25. For Dataverse operations, confirm "System Administrator" in target environment

Workaround: Run scripts manually from a workstation with interactive authentication instead of automated scheduled execution until service principal authentication is configured.

---

Issue 9: Feature Compliance Report Shows No Data

Symptoms: - PowerShell script Get-FeatureComplianceReport.ps1 completes but CSV file is empty or has only headers - Console output shows: "Retrieved 0 feature records" - Feature catalog table exists but appears empty

Possible Causes: 1. Feature catalog table was not populated with initial data 2. Script is querying wrong environment 3. Data retrieval permissions issue 4. Table name is incorrect (typo in script parameter)

Resolution Steps:

1. Verify Feature Catalog Has Data:
2. Manually check feature catalog table:
   • Open Power Apps (make.powerapps.com)
   • Navigate to Tables → fsi_featurecatalog → Data
   • Confirm records exist

3. If table is empty, run Populate-FeatureCatalog.ps1 script to add baseline features

4. Check Environment URL Parameter:

5. Verify -EnvironmentUrl parameter in script call matches the environment where feature catalog is deployed
6. Get correct URL:

   # List all environments and their URLs
   Add-PowerAppsAccount
   Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName, Properties | Format-Table
   

7. Dataverse URL format: https://[orgname].crm[region].dynamics.com

8. Re-run script with correct URL

9. Verify Table Name:

10. Confirm table logical name is exactly fsi_featurecatalog (case-sensitive in some APIs)

11. If table was created with different name, update FetchXML query in script:

    <entity name="fsi_featurecatalog">  <!-- Update this line if table name is different -->
    

12. Check Data Retrieval Permissions:

13. User running script must have Read permission on fsi_featurecatalog table
14. Verify security role includes Read privilege for custom tables

15. Alternative: Run script with System Administrator account

16. Test FetchXML Query Manually:

17. Use XrmToolBox (free tool for Dataverse) to test FetchXML query
18. Install XrmToolBox: https://www.xrmtoolbox.com/
19. Use "FetchXML Builder" plugin to execute the query from Get-FeatureComplianceReport.ps1
20. Verify query returns data when executed manually
21. If manual query works but script fails, issue is with PowerShell module or connection

Workaround: Manually export feature catalog data from Power Apps Maker Portal (Tables → fsi_featurecatalog → Data → Export to Excel) until script issue is resolved.

---

Issue 10: Change Management System Does Not Support Copilot Feature Requests

Symptoms: - Change management system (ServiceNow, Jira, etc.) does not have template or workflow for Copilot Studio feature enablement - Existing change request types do not fit this use case - No integration between change management system and Power Platform

Possible Causes: 1. Change management system is not configured for Power Platform governance 2. Change management team is not aware of Copilot Studio governance requirements 3. Integration automation (Power Automate → Change System) not implemented

Resolution Steps:

1. Create Custom Change Request Type:
2. Work with Change Management team to create new request type: "Copilot Studio Feature Enablement"
3. Map required fields from Control 2.24 (Feature Name, Environment, Zone, Justification, Risk Assessment) to change request form
4. Configure approval workflow routing:
   • Zone 1: Power Platform Admin
   • Zone 2: Power Platform Admin → AI Governance Lead
   • Zone 3: Power Platform Admin → AI Governance Lead → Compliance Officer

5. Assign request type to appropriate change category (e.g., "Application Configuration Change")

6. Use Standard Change Template (Interim):

7. If custom type cannot be created immediately, use existing "Configuration Change" or "Application Change" template
8. Add Copilot-specific fields in description or notes section:

   Change Description: Copilot Studio Feature Enablement
   Feature Name: [X]
   Environment: [Y]
   Governance Zone: [Zone 1/2/3]
   Business Justification: [Text]
   Risk Assessment: [Text]
   

9. Document interim process in governance handbook

10. Build Integration with Power Automate:

11. Create Power Automate flow to integrate Power Platform with change management system:
    • Trigger: Manual button or SharePoint form submission (feature request)
    • Action 1: Create change request in change system via REST API or connector
    • Action 2: Send approval notifications to reviewers
    • Action 3: On approval, update feature catalog in Dataverse
    • Action 4: Notify requester of approval status

12. Most change management systems have REST APIs or Power Automate connectors available

13. Document Process Without Change System (Temporary):

14. If change management system cannot be configured in short term, create interim process:
    • Use SharePoint list to track feature requests (columns: Requester, Feature, Environment, Status, Approvers, Approval Date)
    • Manual email approval workflow: Requester → Power Platform Admin → AI Governance Lead → Compliance Officer
    • Update SharePoint list status after each approval stage
    • Migrate to formal change system when available

15. Document this as temporary process with planned migration date

16. Engage Change Advisory Board (CAB):

17. Present Copilot Studio governance requirements to CAB
18. Request prioritization of change management system updates to support Power Platform governance
19. Provide business justification: Regulatory compliance (SOX, FINRA, GLBA), risk management, audit trail requirements

Workaround: Use email-based approval with manual tracking in spreadsheet or SharePoint list until change management system is configured. Ensure audit trail is maintained (approval emails saved, decision documentation).

---

Diagnostic Commands

Use these commands to troubleshoot issues:

# Check Power Platform environments
Add-PowerAppsAccount
Get-AdminPowerAppEnvironment | Select-Object DisplayName, EnvironmentName, EnvironmentType | Format-Table

# List DLP policies
Get-AdminDlpPolicy | Select-Object DisplayName, EnvironmentType, PolicyName | Format-Table

# Check connector classifications in DLP policy
$policy = Get-AdminDlpPolicy -PolicyName "[PolicyGUID]"
$policy.ConnectorGroups | ForEach-Object { Write-Host "Classification: $($_.classification)"; $_.connectors | Select-Object id, name }

# Verify user roles in Entra ID
Connect-MgGraph
Get-MgUserMemberOf -UserId (Get-MgContext).Account | Select-Object @{N='RoleName';E={$_.AdditionalProperties.displayName}}

# Test Dataverse connection
Import-Module Microsoft.Xrm.Data.PowerShell
$conn = Connect-CrmOnline -ServerUrl "https://contoso.crm.dynamics.com" -ForceOAuth
$conn.IsReady  # Should return True

# Query feature catalog records
Get-CrmRecords -conn $conn -EntityLogicalName fsi_featurecatalog -Fields fsi_featurename,fsi_zone3status

# Check PowerShell module versions
Get-Module Microsoft.PowerApps.Administration.PowerShell -ListAvailable
Get-Module Microsoft.Xrm.Data.PowerShell -ListAvailable

---

Escalation Path

If issues cannot be resolved with troubleshooting steps:

1. Power Platform Admin → Microsoft Support:
2. Issues with PPAC feature toggles, DLP policies, API limits
3. Open ticket at portal.azure.com → Help + support → New support request

4. Select "Power Platform" or "Copilot Studio" as service

5. AI Governance Lead → Compliance Officer:

6. Issues requiring policy decisions (e.g., cannot disable GA feature, need compensating controls)
7. Document issue, proposed compensating controls, residual risk

8. Obtain approval for workaround from Compliance Officer

9. Change Management Team → IT Leadership:

10. Issues with change management system configuration or integration
11. Escalate if CAB does not prioritize Copilot governance requirements
12. Provide business case: Regulatory risk, audit findings, compliance obligations

---

Additional Resources

• Microsoft Support: Power Platform
• Power Platform Community Forums
• Microsoft Learn: Troubleshooting Power Platform
• XrmToolBox (Dataverse debugging)

---

Back to Control 2.24 | Portal Walkthrough | PowerShell Setup | Verification Testing