Skip to content

Control 2.2: Environment Groups and Tier Classification

Overview

Control ID: 2.2 Control Name: Environment Groups and Tier Classification Regulatory Reference: FINRA 4511, GLBA 501(b), SOX 302/404 Setup Time: 30-60 min initial setup, ongoing rule configuration

Scope: United States (US-only)

Purpose

Environment Groups and Tier Classification provides a scalable governance mechanism that enables financial institutions to apply consistent policies across multiple Power Platform environments based on risk classification. This control is essential for FSI organizations because it supports consistent enforcement of regulatory-aligned requirements, reduces configuration drift between environments, and supports auditability by maintaining clear separation between development, testing, and production workloads. By aligning environment groups with a consistent governance model, organizations can implement tiered controls that match the sensitivity of data and criticality of business processes.

Description

Environment Groups enable consistent governance policy application across multiple Power Platform environments. By grouping environments and applying rules, administrators can enforce sharing limits, channel restrictions, authentication requirements, and AI model governance at scale.

This control is designed to work with:

  • Control 2.1 (Managed Environments): ensures each environment can participate in standardized governance and telemetry.
  • Control 2.15 (Environment Routing): ensures makers are placed into the correct target environments that already inherit the correct environment group rules.

See Environment groups for detailed capabilities.

Key Capabilities

Capability Description FSI Relevance
Group-based rules Apply governance rules across grouped environments Consistent policy enforcement
Governance alignment Map environment groups to governance tiers (personal/team/enterprise) Risk-based governance
Centralized management Single location for multi-environment governance Reduced administrative overhead
Rule inheritance New environments inherit group rules automatically Prevents governance gaps

Available Rules

Rule Count Reference

Microsoft Learn documents 21 environment group rules (6 in preview, 15 generally available) as of January 2026. Rule availability may change as features move from preview to GA. (Source)

Configure rules in PPAC under Manage → Environment groups → [Group] → Rules.

Sharing & Collaboration Rules

Rule Name Description Governance Recommendation
Sharing agents with Editor permissions Control co-authoring of agents Personal productivity: Disabled; team/enterprise: Enabled
Sharing agents with Viewer permissions Control agent distribution Personal productivity: Disabled; team/enterprise: Enabled
Sharing controls for canvas apps Limit app sharing broadly Configure per governance tier
Sharing controls for solution-aware cloud flows Limit flow sharing Configure per governance tier

Channel & Publishing Rules

Rule Name Description Governance Recommendation
Channel access for published agents (preview) Control which channels agents can use Personal productivity: M365 only; team/enterprise: configure per policy

Authentication & Security Rules

Rule Name Description Governance Recommendation
Authentication for agents (preview) Require authentication for agents Team/enterprise: Required
Enable IP Cookie Binding Prevent session hijacking Enterprise: Enable
IP Firewall setting Restrict access by IP Enterprise: Configure
Content security policy Manage content security for Power Apps Team/enterprise: Configure

AI & Generative Features Rules

Rule Name Description Governance Recommendation
AI prompts Enable AI prompts feature Per organization policy
AI-generated descriptions (preview) Auto-generate app descriptions Per organization policy
AI-powered Copilot features (preview) Enable Copilot assistance for makers Per organization policy
Enable External Models (preview) Allow external AI models Enterprise only with explicit approval
Preview and experimental AI models Allow pre-release AI Personal/team only
Generative AI setting Master toggle for generative AI Per organization policy
Copilot GSA Settings Copilot Government Settings Government tenants only

Maker Experience Rules

Rule Name Description Governance Recommendation
Maker welcome content Onboarding guidance for makers All tiers: Configure
Control maker credential options (preview) Control credential storage Team/enterprise: Restrict

Solution & Deployment Rules

Rule Name Description Governance Recommendation
Solution checker enforcement Validate solutions on import Team: Warn; enterprise: Block
Default deployment pipeline Link to deployment pipeline Team/enterprise: Configure
Unmanaged customizations Block unmanaged changes Enterprise: Block

Data & Integration Rules

Rule Name Description Governance Recommendation
Advanced connector policies (preview) Granular connector control Team/enterprise: Configure
Computer Use (preview) Allow computer use feature Evaluate carefully
Sharing Copilot Studio agent data with Viva Insights Share agent analytics Per organization policy

Operations Rules

Rule Name Description Governance Recommendation
Backup retention Configure backup period Enterprise: Extended retention
Accessing transcripts from conversations Control transcript access Team/enterprise: Configure
Usage insights Enable usage analytics All tiers: Enable
Release channel Control update cadence Per organization policy
Power Apps component framework for canvas apps Enable PCF components Per organization policy

Prerequisites

Primary Owner Admin Role: Power Platform Admin Supporting Roles: Environment Admin

Licenses Required

License Purpose Required For
Power Apps Premium Managed Environments capability Environment group participation
Copilot Studio Agent governance rules Agent sharing and channel rules
Power Automate Premium Solution-aware flows Flow sharing controls
Microsoft 365 E5 Advanced compliance features Audit and compliance integration

Permissions Required

Role Scope Purpose
Power Platform Admin Tenant Create and manage environment groups
Environment Admin Environment Add environments to groups
Global Administrator Tenant Initial service principal setup
Dynamics 365 Admin Environment Dataverse-specific configurations

Dependencies

Dependency Description Control Reference
Managed Environments Environments must be managed Control 2.1
Power Platform Admin Center PPAC access required N/A
Azure AD/Entra ID Identity integration Tenant configuration
DLP Policies Complement group rules Control 1.5

Pre-Setup Checklist

  • [ ] Confirm Power Platform Admin role assignment
  • [ ] Document governance tier definitions and approval authority (Tier 1/2/3)
  • [ ] Inventory existing environments and their classifications
  • [ ] Confirm all target environments are Managed Environments (Control 2.1) before group assignment
  • [ ] Confirm routing policy targets and exceptions (Control 2.15) align to the tier model (no “default to prod” behavior)
  • [ ] Review current DLP policies for compatibility
  • [ ] Obtain approval for rule configurations from compliance team
  • [ ] Prepare maker communication plan for policy changes

Governance Levels

Warning

This document uses two different concepts: - Governance tiers (Tier 1/2/3) are the risk-based classification used for environment groups and enforcement. - Governance levels (Level 1-4) describe implementation maturity (baseline → regulated/high-risk). For audit evidence, capture and retain both the tier assignment (which group) and the level of implementation (which rules and operational controls are enabled).

Level 1 - Baseline

Requirement Configuration
Environment groups created One group per governance tier minimum
Lifecycle classification Development, Test, Production
Basic rules Sharing rules configured
Requirement Configuration
Tier-aligned groups Separate groups for personal, team, and enterprise tiers
Comprehensive rules Sharing, channels, authentication configured
Maker onboarding Welcome content with policy guidance
Solution governance Solution checker at Warn level

Level 4 - Regulated/High-Risk

Requirement Configuration
Strict tier separation Dedicated groups per tier with no overlap
All security rules Authentication, IP binding, firewall configured
AI governance External models restricted, experimental disabled
Full audit trail Transcripts, usage insights enabled
Deployment controls Solution checker at Block, pipelines required

Governance Tier-to-Group Mapping

Recommended structure for US FSI organizations (US-only):

Tier definitions (evidence-grade):

  • Tier 1 (Personal Productivity): Individual experimentation and learning; non-sensitive data only; lowest blast radius.
  • Tier 2 (Team Collaboration): Shared team workloads and shared data sources; internal/confidential data; moderate blast radius.
  • Tier 3 (Enterprise Managed): Production and enterprise-managed workloads; may include regulated data; highest audit expectations.

| Environment Group | Governance Tier | Tier | Environments | Key Rules | |-------------------|----------------|--------------|-----------| | Personal Development | Personal Productivity | Tier 1 | Developer environments | Sharing disabled, M365 channels only | | Team Collaboration | Team Collaboration | Tier 2 | Team/departmental environments | Sharing enabled, internal channels | | Enterprise Production | Enterprise Managed | Tier 3 | Production environments | Strict controls, all rules enforced | | Enterprise Non-Prod | Enterprise Managed | Tier 3 | UAT, staging | Same as production (pre-deployment testing) |

Setup & Configuration

Step 1: Create Environment Groups

  1. Open Power Platform Admin Center
  2. Navigate to Manage → Environment groups
  3. Click + New group
  4. Enter group name (e.g., "Team Collaboration")
  5. Add description with tier classification (Tier 1/2/3), business scope, and change authority
  6. Click Save

Evidence to capture (minimum):

  • Screenshot: group properties page showing name/description and timestamp (or browser print-to-PDF)
  • Export: environment group inventory (see Export Environment Group Configuration)

Step 2: Add Environments to Groups

  1. Select the environment group
  2. Click Environments tab
  3. Click Add environments
  4. Select environments to include
  5. Click Add

Evidence to capture (minimum):

  • Screenshot: environments tab showing group membership list and counts
  • Export: environment-to-group mapping CSV (see Export Environment Group Configuration)

Dependency check: If an environment cannot be added, validate Managed Environments configuration first (Control 2.1).

Step 3: Configure Rules

  1. Select the environment group
  2. Click Rules tab (shows 29 available rules)
  3. Click on a rule name to configure
  4. Set the appropriate value/toggle
  5. Click Save (or Publish rules for batch changes)

Evidence to capture (minimum):

  • Screenshot/PDF: Rules tab showing configured values for each tier group
  • Change record: ticket/approval referencing Tier 1/2/3 intent, approver, and effective date

Step 4: Configure Key Rules by Governance Tier

Tier 1 - Personal Productivity

Allowed data: non-sensitive only (no regulated customer data). Use synthetic/sample data when possible.

Rule Setting
Sharing agents with Editor permissions Disabled
Sharing agents with Viewer permissions Disabled
Channel access for published agents Teams + M365 Copilot only
Enable External Models Disabled
Preview and experimental AI models Enabled (for learning)

Tier 2 - Team Collaboration

Expected ownership: named group owner and an approval trail for rule changes.

Rule Setting
Sharing agents with Editor permissions Enabled
Sharing agents with Viewer permissions Enabled
Channel access for published agents Teams, SharePoint enabled
Authentication for agents Required
Solution checker enforcement Warn
Maker welcome content Team policy

Tier 3 - Enterprise Managed

Change control: treat rule changes as controlled changes (ticket + peer review + recorded testing results).

Rule Setting
Sharing agents with Editor permissions Disabled (use ALM)
Sharing agents with Viewer permissions Enabled
Channel access for published agents All (with approval)
Authentication for agents Required
Enable External Models Disabled (unless approved)
Solution checker enforcement Block
Unmanaged customizations Block
Default deployment pipeline Configured

Step 5: Publish Rules

  1. After configuring all rules, click Publish rules
  2. Rules apply to all environments in the group
  3. Verify by checking individual environment settings

Tie to Control 2.15 (Environment Routing):

  • Ensure routing policies send makers to environments that are already members of the correct Tier 1/2/3 group.
  • If routing creates or provisions environments, include a post-provisioning step that assigns the new environment to the correct environment group before maker access is granted.

PowerShell Configuration

Connect to Power Platform

# Install the Power Platform Admin module if not present
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Force -AllowClobber

# Import the module
Import-Module Microsoft.PowerApps.Administration.PowerShell

# Connect to Power Platform (interactive authentication)
Add-PowerAppsAccount

# For service principal authentication (recommended for automation)
$appId = "<Application-Client-ID>"
$secret = "<Client-Secret>"
$tenantId = "<Tenant-ID>"
Add-PowerAppsAccount -ApplicationId $appId -ClientSecret $secret -TenantID $tenantId

Get Environment Groups

# List all environment groups in the tenant
Get-AdminPowerAppEnvironmentGroup

# Get a specific environment group by ID
$groupId = "<EnvironmentGroup-ID>"
Get-AdminPowerAppEnvironmentGroup -EnvironmentGroupId $groupId

# List environments in a specific group
Get-AdminPowerAppEnvironment | Where-Object { $_.EnvironmentGroupId -eq $groupId }

Create Environment Group

Note

Environment group creation is primarily performed through the Power Platform Admin Center portal. PowerShell support for group creation may be limited or require preview modules.

# Check for available cmdlets (verify module version supports this)
Get-Command -Module Microsoft.PowerApps.Administration.PowerShell -Name "*EnvironmentGroup*"

# Portal navigation for group creation:
# Power Platform Admin Center → Manage → Environment groups → + New group

Add Environments to Groups

# Add an environment to an environment group
$environmentId = "<Environment-ID>"
$groupId = "<EnvironmentGroup-ID>"

# Using Set-AdminPowerAppEnvironment to update group membership
Set-AdminPowerAppEnvironment -EnvironmentName $environmentId -EnvironmentGroupId $groupId

# Verify the assignment
$env = Get-AdminPowerAppEnvironment -EnvironmentName $environmentId
Write-Host "Environment Group: $($env.EnvironmentGroupId)"

Get Group Rules

# Get environment group rules (requires appropriate API access)
# Note: Rule management is primarily done via PPAC portal
# Use the following to query environment settings that reflect group rules

$environments = Get-AdminPowerAppEnvironment | Where-Object { $_.EnvironmentGroupId -eq $groupId }

foreach ($env in $environments) {
    Write-Host "Environment: $($env.DisplayName)"
    Write-Host "  Managed: $($env.Properties.governanceConfiguration.protectionLevel)"
    Write-Host "  Group ID: $($env.EnvironmentGroupId)"
}

Export Environment Group Configuration

# Export environment group configuration for documentation
$exportPath = "C:\Exports\EnvironmentGroups"
New-Item -ItemType Directory -Path $exportPath -Force | Out-Null

# Get all environment groups
$groups = Get-AdminPowerAppEnvironmentGroup

# Export group details
$groupExport = $groups | Select-Object @{
    Name = 'GroupId'; Expression = { $_.EnvironmentGroupId }
}, @{
    Name = 'DisplayName'; Expression = { $_.DisplayName }
}, @{
    Name = 'Description'; Expression = { $_.Description }
}, @{
    Name = 'CreatedTime'; Expression = { $_.CreatedTime }
}

$groupExport | Export-Csv -Path "$exportPath\EnvironmentGroups_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Export environment-to-group mapping
$environments = Get-AdminPowerAppEnvironment
$envMapping = $environments | Select-Object DisplayName, EnvironmentName, EnvironmentGroupId, @{
    Name = 'IsManaged'; Expression = { $_.Properties.governanceConfiguration.protectionLevel -eq 'Standard' }
}

$envMapping | Export-Csv -Path "$exportPath\EnvironmentGroupMapping_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Write-Host "Exported $(($groups | Measure-Object).Count) groups and $(($environments | Measure-Object).Count) environments"

Financial Sector Considerations

Regulatory Context

Primary Regulations: FINRA 4511, GLBA 501(b), SOX 302/404

US-only implementation notes:

  • Maintain evidence artifacts in accordance with US recordkeeping expectations (e.g., FINRA retention policies).
  • Ensure environment placement and routing align with your organization’s US data residency and supervisory requirements.
Regulation Environment Group Support
FINRA 4511 Consistent recordkeeping controls across environments
GLBA 501(b) Uniform data protection via sharing/channel rules
SOX 302/404 Segregation of duties via tier classification

Regulatory Mapping

Regulation Section Requirement Environment Group Control
FINRA 4511 (a)(1) Books and records retention Enable transcript access rules, usage insights for audit trail
FINRA 4511 (b) Supervision of communications Channel access restrictions, sharing controls
GLBA 501(b) Safeguards for customer information Authentication requirements, IP binding, sharing restrictions
SOX 302 Management certification Tier classification enforces segregation of duties
SOX 404 Internal control assessment Solution checker enforcement, unmanaged customization blocking
OCC 2011-12 Model risk management External AI model restrictions, experimental feature controls

Governance Tier Environment Group Configuration

Governance Tier Environment Group Name Tier Data Classification Key Restrictions
Personal Productivity FSI-Personal-Dev Development Non-sensitive only No external sharing, M365 channels only, external models disabled
Personal Productivity FSI-Sandbox Development Synthetic data only Experimental AI enabled, no production connectors
Team Collaboration FSI-Team-Collab Test/UAT Internal/Confidential Team sharing allowed, internal channels, solution checker warn
Team Collaboration FSI-Departmental Departmental Business confidential Controlled sharing, authentication required
Enterprise Managed FSI-Production Production All classifications Strict controls, ALM only, no unmanaged changes
Enterprise Managed FSI-Regulatory Production Regulatory/PII Maximum restrictions, full audit, IP firewall enabled

FSI Example Configuration

# FSI Environment Group Configuration Example
# Organization: Contoso Financial Services

environment_groups:
  - name: "FSI-Enterprise-Production"
    description: "Enterprise production environments - maximum governance"
    tier: "Production"
    governance_tier: "Enterprise Managed"

    rules:
      # Sharing Rules
      sharing_agents_editor: disabled
      sharing_agents_viewer: enabled
      sharing_canvas_apps: "organization_only"
      sharing_solution_flows: "organization_only"

      # Channel Rules
      channel_access_agents: "teams,m365copilot,sharepoint"

      # Security Rules
      authentication_agents: required
      ip_cookie_binding: enabled
      ip_firewall: enabled
      content_security_policy: strict

      # AI Governance
      ai_prompts: enabled
      external_models: disabled
      preview_experimental_ai: disabled
      generative_ai: enabled

      # Solution Governance
      solution_checker: block_on_error
      unmanaged_customizations: blocked
      default_pipeline: "FSI-Production-Pipeline"

      # Audit & Compliance
      transcript_access: enabled
      usage_insights: enabled
      backup_retention: "28_days"

    environments:
      - "prod-trading-001"
      - "prod-wealth-management"
      - "prod-customer-service"
      - "prod-compliance-reporting"

  - name: "FSI-Team-Collaboration"
    description: "Team collaboration environments - balanced governance"
    tier: "Test"
    governance_tier: "Team Collaboration"

    rules:
      sharing_agents_editor: enabled
      sharing_agents_viewer: enabled
      authentication_agents: required
      solution_checker: warn_on_error
      external_models: disabled
      preview_experimental_ai: disabled

Zone-Specific Configuration

Zone 1 (Personal Productivity):

  • Apply a baseline minimum of environment groups and tier classification that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
  • Avoid expanding scope beyond the user’s own data unless explicitly justified.
  • Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

  • Apply zone-aligned rules consistently across environments for shared agents and shared data sources; require an identified owner and an approval trail.
  • Validate configuration in a pilot environment before broader rollout; retain rule snapshots + group membership exports.
  • Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

  • Require the strictest configuration for environment groups and tier classification and enforce it via policy where possible (not manual-only).
  • Treat changes as controlled (change ticket + documented testing); retain rule snapshots + group membership exports.
  • Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Evidence Pack (Audit Artifacts)

Retain an evidence pack per review period (e.g., monthly/quarterly) that an auditor can replay without requiring interactive portal access.

Minimum evidence pack contents (recommended):

  • Environment group inventory export (CSV): group IDs, display names, descriptions, created time
  • Environment-to-group mapping export (CSV): environment name, display name, group ID, managed status
  • Rule configuration snapshots (PDF/screenshots) for each Tier 1/2/3 group, including “Published” status and publish timestamp
  • Control linkage notes: references showing the Managed Environments baseline (Control 2.1) and the routing policy intent and exception list (Control 2.15)
  • Change log: tickets/approvals for any rule changes during the period
Step Action Expected Result
1 Navigate to Environment groups Groups listed with environment counts
2 Check Rules tab Shows 29 rules with status
3 Verify rule publication Status shows "Published" with date
4 Test in one environment per tier Rules enforced (e.g., Tier 1 agent sharing blocked; Tier 3 unmanaged customizations blocked)
5 Add new environment to group Inherits group rules automatically
6 Validate routing outcome (Control 2.15) A new maker is routed to a tier-appropriate environment that already inherits the correct group rules

PowerShell Validation (Evidence-Friendly)

Use these checks to validate and preserve evidence without relying on portal screenshots alone.

$groupId = "<EnvironmentGroup-ID>"

# List environments in the group and confirm managed state
Get-AdminPowerAppEnvironment |
  Where-Object { $_.EnvironmentGroupId -eq $groupId } |
  Select-Object DisplayName, EnvironmentName, EnvironmentGroupId,
    @{Name='IsManaged'; Expression = { $_.Properties.governanceConfiguration.protectionLevel -in @('Standard','Enhanced') }} |
  Format-Table -AutoSize

Integration with Managed Environments

Environment Groups and Managed Environments provide layered governance:

Control Type Environment Groups Managed Environments
Scope Multiple environments Single environment
Sharing rules Agent-level controls Resource-level limits
Channels Publishing restrictions N/A
Solution checker Via rule Direct configuration
Usage insights Via rule Direct configuration

Precedence: More restrictive setting wins when both are configured.

Troubleshooting & Validation

Issue Symptoms Resolution
Rules not applying to environment Environment settings don't match group rules Verify environment is added to the group; check that rules are published; confirm environment is managed
Cannot add environment to group "Environment cannot be added" error Ensure environment is a Managed Environment first (Control 2.1); verify you have Environment Admin rights
Rule conflicts between group and environment Inconsistent behavior More restrictive setting wins; review both environment-level and group-level settings; document which takes precedence
Environment group not visible Group doesn't appear in PPAC Confirm Power Platform Admin role; check if group was deleted; verify tenant-level feature is enabled
Published rules taking time to apply Settings not immediately effective Allow up to 15 minutes for rule propagation; check Power Platform Admin Center for sync status
External model rule not blocking External AI models still accessible Verify rule is published; check if user has exemption; confirm environment is in the correct group
Maker routed to wrong environment New makers land in an environment with incorrect tier rules Review routing policy targets and exceptions (Control 2.15); verify target environment is in the correct Tier 1/2/3 group; re-run validation checks and retain updated exports
Tier intent unclear during audit Group names/descriptions do not prove Tier 1/2/3 purpose Update group descriptions to include tier, allowed data scope, and change authority; regenerate exports and capture updated rule snapshots

Additional Resources

Topic URL
Environment groups overview https://learn.microsoft.com/power-platform/admin/environment-groups
Create and manage environment groups https://learn.microsoft.com/power-platform/admin/environment-groups
Environment group rules https://learn.microsoft.com/power-platform/admin/environment-groups-rules
Managed Environments overview https://learn.microsoft.com/power-platform/admin/managed-environment-overview
Power Platform for administrators https://learn.microsoft.com/power-platform/admin/
PowerShell for Power Platform admins https://learn.microsoft.com/power-platform/admin/powershell-getting-started
Control Relationship
Control 2.1: Managed Environments Environment-level governance
Control 2.15: Environment Routing Automatic maker placement
Control 1.4: Advanced Connector Policies Connector governance

Support & Questions

For implementation support or questions about this control, contact:

  • AI Governance Lead (governance direction)
  • Compliance Officer (regulatory requirements)
  • Power Platform Admin (technical setup)

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification