Portal Walkthrough: Control 3.12 - Agent Governance Exception and Override Management

Last Updated: February 2026 Portal: Power Apps, Power Automate, Microsoft Teams, SharePoint Estimated Time: 90-120 minutes

Prerequisites

• Power Platform Admin role or Power Apps Environment Maker role
• Power Automate Premium license (for approval flows and Dataverse)
• Access to Dataverse environment (or SharePoint site for lightweight implementation)
• Microsoft Teams access for notifications
• Exception management policy documented (exception types, approval authorities, maximum durations)
• Understanding of governance zone classifications (Control 2.2)
• Change management process for policy overrides
• List of approvers by zone (manager, compliance officer, CISO)

---

Step-by-Step Configuration

Part 1: Create Dataverse Exception Register Table

Step 1: Navigate to Power Apps Maker Portal

1. Open Power Apps
2. Sign in with your credentials
3. In the top-right corner, select your Dataverse environment (use a dedicated governance environment, not Zone 3 production)
4. In the left navigation, click Tables
5. Review the existing tables to confirm no exception tracking table exists

Environment Selection: Use a dedicated governance or default environment for exception tracking. Do not create governance tables in Zone 3 production environments to maintain separation between operational and governance data.

Step 2: Create Custom Table for Exception Tracking

1. Click + New table → Set advanced properties
2. Configure table properties:
3. Display name: Governance Exceptions
4. Plural name: Governance Exceptions
5. Name (schema name): fsi_governanceexception (or your prefix)
6. Description: Tracks agent governance policy exceptions with approval workflow and expiration monitoring
7. Type: Standard
8. Enable attachments: Yes (for supporting documentation)
9. Track changes: Yes (required for audit trail)
10. Audit changes to its data: Yes (required for compliance)
11. Click Save

The system creates the table with default columns: Name, Created On, Created By, Modified On, Modified By, Owner, Status, Status Reason.

Step 3: Add Custom Columns to Exception Table

Add the following columns to track exception lifecycle:

Column 1: Exception Request Date

1. Click + New → Column
2. Configure:
3. Display name: Exception Request Date
4. Data type: Date and time
5. Format: Date only
6. Behavior: User local (timezone-aware)
7. Required: Business required
8. Searchable: Yes
9. Click Save

Column 2: Requestor

1. Click + New → Column
2. Configure:
3. Display name: Requestor
4. Data type: Lookup
5. Related table: User
6. Required: Business required
7. Click Save

Column 3: Agent Name

1. Click + New → Column
2. Configure:
3. Display name: Agent Name
4. Data type: Text
5. Format: Text
6. Maximum length: 255
7. Required: Business required
8. Searchable: Yes
9. Click Save

Column 4: Governance Zone

1. Click + New → Column
2. Configure:
3. Display name: Governance Zone
4. Data type: Choice
5. Choices:
   • Zone 1 - Personal
   • Zone 2 - Team
   • Zone 3 - Enterprise
6. Required: Business required
7. Click Save

Column 5: Exception Type

1. Click + New → Column
2. Configure:
3. Display name: Exception Type
4. Data type: Choice
5. Choices:
   • Policy Override
   • Approval Bypass
   • Inventory Grace Period
   • Environment Reclassification
   • Risk Acceptance
   • Other
6. Required: Business required
7. Click Save

Column 6: Business Justification

1. Click + New → Column
2. Configure:
3. Display name: Business Justification
4. Data type: Text
5. Format: Text area (multiline)
6. Maximum length: 4000
7. Required: Business required
8. Click Save

Column 7: Risk Assessment

1. Click + New → Column
2. Configure:
3. Display name: Risk Assessment
4. Data type: Text
5. Format: Text area (multiline)
6. Maximum length: 4000
7. Required: Business required
8. Click Save

Column 8: Compensating Controls

1. Click + New → Column
2. Configure:
3. Display name: Compensating Controls
4. Data type: Text
5. Format: Text area (multiline)
6. Maximum length: 4000
7. Required: Business required
8. Click Save

Column 9: Approval Status

1. Click + New → Column
2. Configure:
3. Display name: Approval Status
4. Data type: Choice
5. Choices:
   • Pending
   • Level 1 Approved
   • Level 2 Approved
   • Fully Approved
   • Denied
   • Expired
   • Closed
6. Default value: Pending
7. Required: Business required
8. Click Save

Column 10-12: Approver 1, 2, 3 (Repeat for each level)

1. Click + New → Column
2. Configure:
3. Display name: Approver 1 (Manager)
4. Data type: Lookup
5. Related table: User
6. Required: Optional (populated during approval)
7. Click Save
8. Repeat for Approver 2 (Compliance) and Approver 3 (CISO)

Column 13-15: Approval Date 1, 2, 3 (Repeat for each level)

1. Click + New → Column
2. Configure:
3. Display name: Approval Date 1
4. Data type: Date and time
5. Format: Date only
6. Required: Optional
7. Click Save
8. Repeat for Approval Date 2 and Approval Date 3

Column 16: Expiration Date

1. Click + New → Column
2. Configure:
3. Display name: Expiration Date
4. Data type: Date and time
5. Format: Date only
6. Required: Business required
7. Click Save

Column 17: Renewal Count

1. Click + New → Column
2. Configure:
3. Display name: Renewal Count
4. Data type: Whole number
5. Minimum value: 0
6. Maximum value: 10
7. Default value: 0
8. Required: Business required
9. Click Save

Column 18: Closure Date

1. Click + New → Column
2. Configure:
3. Display name: Closure Date
4. Data type: Date and time
5. Format: Date only
6. Required: Optional
7. Click Save

Column 19: Closure Reason

1. Click + New → Column
2. Configure:
3. Display name: Closure Reason
4. Data type: Text
5. Format: Text area (multiline)
6. Maximum length: 2000
7. Required: Optional
8. Click Save

Step 4: Configure Security Roles for Exception Table

1. In Power Apps, go to Settings (gear icon) → Advanced settings
2. Navigate to Settings → Security → Security Roles
3. Select the System Administrator role (or create a custom Governance Admin role)
4. In the Custom Entities tab, find Governance Exceptions
5. Grant the following privileges:
6. Create: Organization (all users can submit exception requests)
7. Read: Organization (all users can view exception status)
8. Write: Business Unit (only governance team can edit)
9. Delete: None (prevent accidental deletion; use closure instead)
10. Append: Organization
11. Append To: Organization
12. Click Save and Close

Principle of Least Privilege: Grant broad Create and Read access to allow all users to submit and view exceptions, but restrict Write and Delete to governance administrators to prevent unauthorized modifications.

---

Part 2: Build Exception Request Form in Power Apps

Step 5: Create Canvas App for Exception Request

1. In Power Apps, click + Create → Canvas app from blank
2. Configure:
3. App name: Agent Exception Request Form
4. Format: Tablet (recommended for form-based apps)
5. Click Create

Step 6: Connect to Dataverse Exception Table

1. In the app editor, click Data (database icon) in the left toolbar
2. Click + Add data
3. Search for Governance Exceptions
4. Select the table to add as a data source
5. Verify the connection shows all custom columns

Step 7: Design Exception Request Form

1. Click Insert → Forms → Edit form
2. Resize the form to fill the screen (leave space for header and submit button)
3. In the form properties pane:
4. Data source: Governance Exceptions
5. Item: Blank() (for new record creation)
6. Default mode: New
7. Click Edit fields and add the following fields:
8. Exception Request Date
9. Requestor (default to User().Email)
10. Agent Name
11. Governance Zone
12. Exception Type
13. Business Justification
14. Risk Assessment
15. Compensating Controls
16. Expiration Date
17. Reorder fields in logical flow (requestor info → exception details → risk → expiration)

Step 8: Configure Field Validation and Defaults

Requestor Field:

1. Select the Requestor card in the form
2. Set Default: User().Email (auto-populate with current user)
3. Set DisplayMode: DisplayMode.View (read-only)

Exception Request Date Field:

1. Select the Exception Request Date card
2. Set Default: Today() (auto-populate with current date)
3. Set DisplayMode: DisplayMode.View (read-only)

Expiration Date Field:

1. Select the Expiration Date card
2. Add a Label below the date picker:
3. Text: "Maximum duration: " & If(GovernanceZoneDropdown.Selected.Value = "Zone 3", "30 days", If(GovernanceZoneDropdown.Selected.Value = "Zone 2", "60 days", "90 days"))
4. Set OnChange for the date picker:

   If(
       DateDiff(Today(), ExpirationDatePicker.SelectedDate, Days) > 
       If(GovernanceZoneDropdown.Selected.Value = "Zone 3", 30,
          If(GovernanceZoneDropdown.Selected.Value = "Zone 2", 60, 90)),
       Notify("Expiration date exceeds maximum duration for selected zone", NotificationType.Error),
       false
   )
   

Business Justification Field:

1. Select the Business Justification card
2. Add validation to require minimum length:
3. Set Required: true
4. Add character count label: "Characters: " & Len(JustificationTextInput.Text) & " / 100 minimum"

Step 9: Add Submit Button and Workflow Trigger

1. Click Insert → Button
2. Position button at bottom of form
3. Configure button:
4. Text: "Submit Exception Request"
5. OnSelect:

   If(
       Len(JustificationTextInput.Text) >= 100 && 
       Len(RiskAssessmentTextInput.Text) >= 100 &&
       Len(CompensatingControlsTextInput.Text) >= 50,
       SubmitForm(ExceptionForm);
       Notify("Exception request submitted successfully. You will receive approval notifications via email.", NotificationType.Success);
       ResetForm(ExceptionForm),
       Notify("Please complete all required fields with sufficient detail.", NotificationType.Error)
   )
   

Step 10: Save and Publish Canvas App

1. Click File → Save
2. Click Publish → Publish this version
3. Click Share and grant access to all users who may need to request exceptions
4. Test the form by submitting a sample exception request

Testing Tip: Create a test record with all fields populated. Verify it appears in the Dataverse table by navigating to Tables → Governance Exceptions → Data.

---

Part 3: Build Multi-Level Approval Flow in Power Automate

Step 11: Create Approval Flow for Exception Requests

1. Open Power Automate
2. Select the same environment as your Dataverse table
3. Click + Create → Automated cloud flow
4. Configure:
5. Flow name: Agent Exception Approval Workflow
6. Trigger: When a row is added, modified or deleted (Dataverse)
7. Change type: Added
8. Table name: Governance Exceptions
9. Click Create

Step 12: Add Condition to Filter New Requests

1. Add action: Condition
2. Configure:
3. Left operand: Approval Status (from trigger)
4. Operator: is equal to
5. Right operand: Pending
6. In the Yes branch, continue building the approval workflow

Step 13: Configure Zone-Based Approval Routing

1. In the Yes branch, add action: Condition (to check zone)
2. Configure:
3. Left operand: Governance Zone (from trigger)
4. Operator: is equal to
5. Right operand: Zone 1

Zone 1 Branch (Single Approval):

1. Add action: Start and wait for an approval
2. Configure:
3. Approval type: Approve/Reject - First to respond
4. Title: "Agent Exception Request: " & Agent Name
5. Assigned to: (Power Platform Admin email)
6. Details:

   Requestor: [Requestor Email]
   Agent Name: [Agent Name]
   Exception Type: [Exception Type]
   Justification: [Business Justification]
   Risk Assessment: [Risk Assessment]
   Compensating Controls: [Compensating Controls]
   Expiration Date: [Expiration Date]
   

7. Item link: Link to Dataverse record (for review)
8. Add action: Condition (check approval outcome)
9. Configure:
10. Left operand: Outcome (from approval action)
11. Operator: is equal to
12. Right operand: Approve
13. In Yes branch:
14. Add action: Update a row (Dataverse)
15. Table: Governance Exceptions
16. Row ID: (from trigger)
17. Approval Status: Fully Approved
18. Approver 1: (Approver email from approval action)
19. Approval Date 1: utcNow()
20. In No branch:
21. Add action: Update a row (Dataverse)
22. Approval Status: Denied

Zone 2 Branch (Two-Level Approval):

1. Duplicate Zone 1 logic but add second approval stage
2. After Level 1 approval, update status to "Level 1 Approved"
3. Add second Start and wait for an approval action
4. Assigned to: (Compliance Officer email)
5. Title and Details: Same as Level 1, plus "Level 1 approved by [Approver 1]"
6. After Level 2 approval, update status to "Fully Approved"

Zone 3 Branch (Three-Level Approval):

1. Duplicate Zone 2 logic but add third approval stage
2. After Level 2 approval, update status to "Level 2 Approved"
3. Add third Start and wait for an approval action
4. Assigned to: (CISO email)
5. After Level 3 approval, update status to "Fully Approved"

Step 14: Add Teams Notification for Approved Exceptions

1. After all zone branches converge, add action: Post adaptive card in a chat or channel
2. Configure:
3. Post as: Flow bot
4. Post in: Channel
5. Team: (Governance Team)
6. Channel: Agent Governance Alerts
7. Adaptive Card:

   {
       "type": "AdaptiveCard",
       "body": [
           {
               "type": "TextBlock",
               "size": "Large",
               "weight": "Bolder",
               "text": "✅ Exception Approved",
               "color": "Good"
           },
           {
               "type": "FactSet",
               "facts": [
                   {"title": "Agent Name", "value": "${triggerOutputs()?['body/fsi_agentname']}"},
                   {"title": "Requestor", "value": "${triggerOutputs()?['body/_fsi_requestor_value']}"},
                   {"title": "Exception Type", "value": "${triggerOutputs()?['body/fsi_exceptiontype']}"},
                   {"title": "Expiration Date", "value": "${triggerOutputs()?['body/fsi_expirationdate']}"},
                   {"title": "Approvers", "value": "${body('Level_1_Approval')?['responder']}"}
               ]
           }
       ],
       "$schema": "http://adaptivecards.io/schemas/adaptive-card.json",
       "version": "1.4"
   }
   

Step 15: Save and Test Approval Flow

1. Click Save to save the flow
2. Test by submitting a new exception request via the Power Apps form
3. Verify:
4. Approval email is sent to appropriate approver(s)
5. Approver can approve/reject from email or Power Automate approval center
6. Dataverse record updates with approval status and approver details
7. Teams notification is posted for approved exceptions

---

Part 4: Configure Expiration Monitoring and Alerts

Step 16: Create Scheduled Flow for Expiration Alerts

1. In Power Automate, click + Create → Scheduled cloud flow
2. Configure:
3. Flow name: Exception Expiration Monitor
4. Recurrence: Daily at 8:00 AM
5. Click Create

Step 17: Query Active Exceptions Nearing Expiration

1. Add action: List rows (Dataverse)
2. Configure:
3. Table: Governance Exceptions
4. Filter rows:

   fsi_approvalstatus eq 'Fully Approved' and 
   fsi_expirationdate le @{addDays(utcNow(), 7)} and
   fsi_expirationdate ge @{utcNow()}
   

5. This filters for approved exceptions expiring within 7 days

Step 18: Send Expiration Alerts

1. Add action: Apply to each (loop through filtered exceptions)
2. Inside loop, add action: Send an email (V2)
3. Configure:
4. To: (Requestor email from loop item)
5. CC: (Approver 1, Approver 2, Approver 3)
6. Subject: "URGENT: Agent Exception Expiring in " & dateDifference(utcNow(), item()?['fsi_expirationdate'], 'Day') & " days"
7. Body:

   <p>Your agent governance exception is expiring soon.</p>
   <p><strong>Agent Name:</strong> [Agent Name]</p>
   <p><strong>Exception Type:</strong> [Exception Type]</p>
   <p><strong>Expiration Date:</strong> [Expiration Date]</p>
   <p><strong>Action Required:</strong> If the underlying issue has been remediated, close the exception in Dataverse. If additional time is needed, submit a renewal request with updated justification.</p>
   <p><strong>Renewal Limit:</strong> Maximum 2 renewals allowed. Current renewal count: [Renewal Count]</p>
   

Step 19: Post Teams Alert for Expiring Exceptions

1. Inside the Apply to each loop, add action: Post adaptive card in a chat or channel
2. Configure:
3. Post as: Flow bot
4. Post in: Channel
5. Team: (Governance Team)
6. Channel: Agent Governance Alerts
7. Adaptive Card: (similar to approval notification, but with "⚠️ Exception Expiring Soon" title and orange warning color)

Step 20: Save and Test Expiration Monitor

1. Click Save
2. Test by creating a test exception record with expiration date set to 5 days from now
3. Manually run the flow (click Test → Manually → Run flow)
4. Verify email and Teams notifications are sent

---

Part 5: Build Exception Dashboard in Power BI (Optional)

Step 21: Connect Power BI to Dataverse Exception Table

1. Open Power BI Desktop
2. Click Get Data → Dataverse
3. Enter your environment URL (e.g., https://org.crm.dynamics.com/)
4. Select Governance Exceptions table
5. Click Load to import data

Step 22: Create Exception Metrics Visuals

Active Exceptions by Zone:

1. Add visual: Clustered column chart
2. Configure:
3. Axis: Governance Zone
4. Values: Count of Exception ID
5. Legend: Approval Status
6. Filter to show only "Fully Approved" status

Exceptions by Type:

1. Add visual: Pie chart
2. Configure:
3. Legend: Exception Type
4. Values: Count of Exception ID

Expiring Exceptions (Next 30 Days):

1. Add visual: Table
2. Configure:
3. Columns: Agent Name, Requestor, Exception Type, Expiration Date, Days Until Expiration
4. Filter: Expiration Date is in next 30 days
5. Sort: Days Until Expiration (ascending)

Renewal Count Distribution:

1. Add visual: Clustered bar chart
2. Configure:
3. Axis: Renewal Count
4. Values: Count of Exception ID

Step 23: Publish Dashboard and Schedule Refresh

1. Click File → Publish → Publish to Power BI
2. Select workspace (e.g., "Agent Governance Workspace")
3. In Power BI Service, configure scheduled refresh (daily at 6:00 AM)
4. Share dashboard with governance team and senior leadership

---

Verification Steps

After completing the portal walkthrough, verify the exception management system:

1. Dataverse Table Verification:
2. Navigate to Tables → Governance Exceptions → Data
3. Verify table exists with all custom columns

4. Confirm audit tracking is enabled (check table settings)

5. Power Apps Form Verification:

6. Open the exception request form app
7. Submit a test request with valid data
8. Verify form validation works (minimum character counts, expiration date limits)

9. Check that record appears in Dataverse after submission

10. Approval Flow Verification:

11. Submit exception requests for Zone 1, Zone 2, and Zone 3
12. Verify correct number of approval stages (1, 2, or 3)
13. Confirm approvers receive email notifications
14. Test approval and denial workflows

15. Verify Dataverse record updates with approval status and dates

16. Expiration Monitoring Verification:

17. Create test exception with expiration date 5 days from now
18. Manually run the expiration monitor flow
19. Verify email notifications are sent to requestor and approvers

20. Check Teams channel for expiration alerts

21. Dashboard Verification (if implemented):

22. Open Power BI dashboard
23. Verify all visuals display current exception data
24. Check that scheduled refresh is configured and succeeds

---

Best Practices

• Naming Conventions: Use consistent naming for Dataverse columns (fsi_ prefix) and flows (include "Agent Exception" for easy searching)
• Documentation: Maintain a configuration guide documenting approver assignments, zone duration limits, and renewal policies
• Testing: Test all approval paths (Zone 1, 2, 3) and edge cases (denial, expiration, renewal) before go-live
• Training: Train governance team and frequent requestors on exception request process and approval workflows
• Monitoring: Review exception metrics weekly to identify trends and systemic issues requiring policy updates

---

Next Steps

• Proceed to PowerShell Setup for automated exception reporting and audit trail export
• Review Verification & Testing for comprehensive test cases
• Consult Troubleshooting if you encounter issues during implementation

---

Back to Control 3.12

Updated: February 2026 | Version: v1.0