Control 3.1: Agent Inventory and Metadata Management
Overview
Control ID: 3.1 Control Name: Agent Inventory and Metadata Management Regulatory Reference: FINRA 4511, SEC 17a-3/4, SOX 404, GLBA 501(b) Scope: United States (US) financial services recordkeeping and supervisory expectations Jurisdiction: US-only (this guidance does not address non-US recordkeeping requirements) Setup Time: 1-2 hours
Purpose
Maintaining a comprehensive agent inventory is essential for financial institutions to demonstrate regulatory compliance, ensure proper oversight of AI-driven automation, and mitigate operational risks. A complete inventory enables organizations to track agent ownership, monitor data access patterns, and respond quickly to regulatory examinations. Without accurate metadata management, FSI organizations face significant compliance gaps and potential supervisory findings.
Description
Maintaining a complete inventory of all agents across the organization is fundamental to governance. The Power Platform Admin Center provides Power Platform inventory that offers tenant-wide visibility into all apps, flows, and agents created across environments with near real-time data (within 15 minutes).
This control distinguishes between:
- A system of record (the authoritative inventory register used for audit/reporting), and
- discovery sources (portals and exports used to find and validate what exists).
See View agent inventory for detailed capabilities.
Two Agent Inventories: Understanding the Difference
Critical: Monitor Both Inventories
Microsoft provides two separate agent inventories in different admin portals. FSI organizations must monitor BOTH to maintain complete visibility.
| Inventory | Location | Tracks | Use Case |
|---|---|---|---|
| Agent Registry | M365 Admin Center → Settings → Integrated apps → Agents | Declarative agents, M365 Copilot plugins, extensions | M365 Copilot ecosystem agents |
| Power Platform Inventory | Power Platform Admin Center → Resources → Power Platform inventory | Copilot Studio custom agents, Power Apps, Flows | Custom-built agents |
Agent Registry (M365 Admin Center):
- Tracks agents built using the declarative agent framework
- Includes M365 Copilot extensions and plugins
- Manages agent deployment and availability across the organization
- Navigation:
admin.microsoft.com→ Settings → Integrated apps → Agents tab
Power Platform Inventory (PPAC):
- Tracks agents built in Copilot Studio
- Provides cross-environment visibility for all Power Platform resources
- Includes owner, environment, and metadata details
- Navigation:
admin.powerplatform.microsoft.com→ Resources → Power Platform inventory
FSI Recommendation:
# Agent Inventory Reconciliation Process
reconciliation_schedule: weekly
data_sources:
- name: "M365 Agent Registry"
url: "admin.microsoft.com → Agents"
agent_types: ["declarative", "plugins", "extensions"]
- name: "Power Platform Inventory"
url: "admin.powerplatform.microsoft.com → Power Platform inventory"
agent_types: ["copilot_studio", "custom_agents"]
reconciliation_steps:
1: "Export both inventories to CSV/Excel"
2: "Compare agent counts and identify discrepancies"
3: "Validate all agents have documented owners"
4: "Flag orphaned or unregistered agents for review"
5: "Update master inventory system of record"
Future Convergence
Microsoft is working toward a unified agent management experience. Monitor Microsoft 365 roadmap for updates on consolidated agent governance.
Key Capabilities
| Capability | Description | FSI Relevance |
|---|---|---|
| Cross-environment visibility | View all items across all environments | Complete governance oversight |
| Item type filtering | Filter by Agent, Model-driven app, Code app | Focus on AI agents specifically |
| Owner tracking | See who owns each item | Accountability and supervision |
| Environment classification | View environment type (Production, Sandbox, Developer) | Risk-based monitoring |
| Metadata export | Export inventory for analysis | Audit and compliance reporting |
Prerequisites
Primary Owner Admin Role: Power Platform Admin Supporting Roles: Entra Global Reader
Licenses Required
| License | Purpose | Required/Optional |
|---|---|---|
| Power Platform Premium | Access to Managed Environments and advanced governance features | Required for Tier 2-3 |
| Microsoft 365 E3/E5 | Access to M365 Admin Center for integrated apps visibility | Required |
| Power Platform Admin Center | Tenant-wide inventory visibility | Required |
| Copilot Studio | Agent configuration and metadata access | Required for agent details |
Permissions Required
| Role | Scope | Responsibilities |
|---|---|---|
| Power Platform Administrator | Tenant-wide | Full access to Power Platform inventory across all environments |
| Environment Administrator | Environment-level | View and manage inventory within assigned environments |
| Dynamics 365 Administrator | Environment-level | Access to environment settings and metadata |
| Global Reader | Tenant-wide | Read-only access for compliance review |
Dependencies
| Dependency | Control Reference | Purpose |
|---|---|---|
| Managed Environments | Control 2.1 | Required for advanced governance features |
| Environment Strategy | Control 2.2 | Environment classification for inventory categorization |
| Orphaned Agent Detection | Control 3.6 | Remediation of unowned agents discovered in inventory |
Pre-Setup Checklist
- [ ] Verify Power Platform Administrator role assignment
- [ ] Confirm access to Power Platform Admin Center
- [ ] Document all environments requiring inventory tracking
- [ ] Identify compliance team members requiring inventory access
- [ ] Prepare inventory export location (SharePoint, network share, or GRC tool)
- [ ] Define inventory review schedule (daily/weekly/monthly based on governance tier/risk)
- [ ] Establish orphaned agent remediation process
Governance Levels
Level 1 - Baseline
| Requirement | Configuration |
|---|---|
| Inventory access | Power Platform inventory enabled |
| Basic metadata | Owner, environment, creation date tracked |
| Review frequency | Monthly inventory review |
Minimum requirements:
- Access Power Platform inventory regularly
- Document agent count and locations
- Identify orphaned agents (missing owners)
Level 2-3 - Recommended
| Requirement | Configuration |
|---|---|
| Comprehensive tracking | All metadata columns reviewed |
| Automated exports | Weekly CSV exports for analysis |
| Dashboard reporting | Summary dashboard for stakeholders |
| Anomaly detection | Alert on unexpected agent creation |
FSI recommendations:
- Export inventory weekly for compliance records
- Create summary reports by environment type
- Track agent growth trends
- Integrate with GRC tools if available
Level 4 - Regulated/High-Risk
| Requirement | Configuration |
|---|---|
| Real-time monitoring | Daily inventory reviews |
| Drift detection | Alert on unauthorized agents |
| Executive reporting | Monthly inventory reports to governance committee |
| Full metadata | All attributes documented and verified |
| Audit trail | Inventory snapshots retained per retention policy |
FSI requirements:
- Daily review of new agent creations
- Immediate investigation of agents in production environments
- Monthly executive summary reports
- Integration with compliance monitoring systems
Additional Inventory Sources
System of Record vs Discovery Sources
Use a single Agent Inventory Register as the system of record (SoR). The SoR may be implemented as a GRC tool object, a controlled SharePoint list/library with change history, or another governed repository.
Discovery sources can be incomplete due to sync latency, access scope, and platform-specific visibility; treat them as inputs to be reconciled into the SoR (not the authoritative register).
| Category | What it is | Examples | Primary Use |
|---|---|---|---|
| System of Record (SoR) | Authoritative inventory register used for reporting/audit | GRC tool, controlled SharePoint list/library | Reporting, attestations, retention, audit trail |
| Discovery Sources | Platforms that enumerate what exists | Power Platform inventory, Copilot Studio agent list, M365 Integrated Apps | Finding agents, validating metadata, detecting drift |
M365 Admin Center - Integrated Apps
For agents published to M365:
- Open Microsoft 365 Admin Center
- Navigate to Settings → Integrated apps
- View published agents and apps
See Manage Copilot agents in Integrated Apps for details.
Copilot Studio - Agent List
For detailed agent configuration:
- Open Copilot Studio
- View agents per environment
- Access agent settings and configuration
Inventory Metadata Requirements
Canonical Agent Identifier (AgentID)
Define and enforce a canonical AgentID that is immutable and unique within the tenant.
- Purpose: Stable cross-system join key for inventory, incidents, cost, records/retention, and attestations.
- Rule: Agent display names are not identifiers; they may change without breaking inventory continuity.
- Format (recommended):
AGT-<TENANT>-<SEQUENTIAL>orAGT-<BUSUNIT>-<SEQUENTIAL>. - Assignment: Create AgentID at first registration in the SoR; never reuse an AgentID after retirement/decommission.
- Mapping: Each AgentID must map to the platform identifiers required to locate the same agent in discovery sources.
In the system of record, store both the canonical AgentID and the platform identifiers needed to reconcile discovery sources.
| Identifier | Description | Required |
|---|---|---|
| AgentID | Canonical governance identifier | Yes |
| Environment ID/Name | Environment join key (use immutable ID where available) | Yes |
| Platform Object ID | Platform-specific unique identifier (when available) | Yes |
| Publisher/Deployment Target | e.g., M365 Integrated Apps published status | Tier 2-3 |
Reconciliation Workflow (SoR ⇄ Discovery)
Perform reconciliation on a fixed cadence aligned to governance tier (at minimum, monthly).
- Collect discovery exports (PPAC inventory, Copilot Studio list, M365 Integrated Apps for published agents).
- Normalize fields (owner UPN/email, environment identifiers, item type) and standardize timestamps.
- Match to existing SoR records using platform IDs + environment, falling back to controlled/manual matching if needed.
- Decide per item: New (create AgentID), Update (metadata drift), Retire (no longer present + validated), or Exception.
- Approve changes in the SoR (ticket/approval trail for Tier 2-3).
- Snapshot evidence (exports + hashes) and retain per records policy.
- Report the reconciliation outcome (dated delta + exceptions) for auditability and follow-up.
Evidence and Integrity Requirements (Hashing)
For each inventory export retained as evidence, compute and store a content hash to detect tampering.
- Hash algorithm: SHA-256
- Hash storage: Store the hash value and export filename/path in the SoR (or an evidence manifest) with date/time and exporter identity.
- Integrity checks: Recompute hash on request (e.g., during audit) and compare to the stored value.
Example (PowerShell):
$exportFile = "C:\Governance\AgentInventory\AgentInventory_20251218_120000.csv"
(Get-FileHash -Path $exportFile -Algorithm SHA256).Hash
Minimum Metadata (All Tiers)
| Field | Source | Required |
|---|---|---|
| Agent name | PPAC Inventory | Yes |
| Owner | PPAC Inventory | Yes |
| Environment | PPAC Inventory | Yes |
| Created date | PPAC Inventory | Yes |
| Modified date | PPAC Inventory | Yes |
Extended Metadata (Tier 2-3)
| Field | Source | Required |
|---|---|---|
| Business purpose | Manual documentation | Yes |
| Data sources | Agent configuration | Yes |
| Approval date | Governance records | Yes |
| Governance tier classification | Governance records | Yes |
| Review schedule | Governance records | Yes |
Comprehensive Metadata (Tier 3)
| Field | Source | Required |
|---|---|---|
| Risk assessment | Risk documentation | Yes |
| Model validation | Validation records | Yes |
| Regulatory mapping | Compliance records | Yes |
| Incident history | Incident management | Yes |
| Performance baseline | Monitoring records | Yes |
Reporting and Linkage Fields (SoR)
Include the following fields in the system of record so inventory can be joined to operational, financial, and records evidence.
| Field | Purpose | Required |
|---|---|---|
| AgentID | Canonical join key across systems | Yes |
| Owning business unit | Accountability and supervision | Yes |
| Owner (UPN/email) + Owner manager | Supervisory chain | Tier 2-3 |
| Cost center / chargeback tag | Cost attribution and budgeting | Tier 2-3 |
| Change ticket / approval reference | Traceability for creation/major changes | Tier 2-3 |
| Data classification + key data sources | Risk and compliance context | Tier 2-3 |
| Records series / retention schedule ID | Records linkage for exports/logs/outputs | Tier 2-3 |
| Incident/Problem IDs | Link to incidents, RCAs, and corrective actions | Tier 2-3 |
| Decommission date + disposition outcome | End-of-life control and evidence | Tier 2-3 |
Setup & Configuration
PPAC Maker Inventory (Preview)
Accessing the Inventory
- Open Power Platform Admin Center
- Navigate to Manage → Inventory
- View the complete list of maker creations
Available Columns
| Column | Description | Governance Use |
|---|---|---|
| Item name | Name of the agent/app/flow | Identification |
| Item type | Agent, Model-driven app, Code app | Filter for agents |
| Owner | User who created/owns the item | Accountability |
| Modified on | Last modification date | Change tracking |
| Created on | Creation date | Lifecycle tracking |
| Environment | Environment name (clickable link) | Location tracking |
| Environment type | Sandbox, Default, Developer, Production | Risk classification |
| Environment region | Geographic location | Data residency |
Key Features
- Item count: Shows total items (e.g., "Showing 297 of 297 items")
- Refresh: Manual refresh button for latest data
- Cross-environment: Single view across all environments
- Filtering: Filter by any column
- Sorting: Sort by any column (click column header)
Note
This feature is in Preview. Data refreshes periodically (not real-time).
PowerShell Configuration
Prerequisites
# Install required PowerShell modules
Install-Module -Name Microsoft.PowerApps.Administration.PowerShell -Scope CurrentUser -Force
Install-Module -Name Microsoft.PowerApps.PowerShell -Scope CurrentUser -Force
# Connect to Power Platform
Add-PowerAppsAccount
Get All Environments
# List all environments with details
$environments = Get-AdminPowerAppEnvironment
$environments | Select-Object DisplayName, EnvironmentName, EnvironmentType, CreatedTime, SecurityGroupId |
Format-Table -AutoSize
# Export environment list to CSV
$environments | Export-Csv -Path "C:\Governance\Environments_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Get Apps, Flows, and Agents Across Environments
# Get all Power Apps across all environments
$allApps = Get-AdminPowerApp
Write-Host "Total Power Apps found: $($allApps.Count)" -ForegroundColor Cyan
$allApps | Select-Object DisplayName, EnvironmentName, Owner, CreatedTime, LastModifiedTime |
Format-Table -AutoSize
# Get all Power Automate flows across all environments
$allFlows = Get-AdminFlow
Write-Host "Total Power Automate flows found: $($allFlows.Count)" -ForegroundColor Cyan
$allFlows | Select-Object DisplayName, EnvironmentName, Enabled, CreatedTime, LastModifiedTime |
Format-Table -AutoSize
Export Comprehensive Agent Inventory
# Comprehensive Agent Inventory Export Script
# Run this script weekly for compliance documentation
$reportDate = Get-Date -Format "yyyyMMdd_HHmmss"
$exportPath = "C:\Governance\AgentInventory"
# Create export directory if not exists
if (-not (Test-Path $exportPath)) {
New-Item -ItemType Directory -Path $exportPath -Force
}
# Get all environments
$environments = Get-AdminPowerAppEnvironment
# Initialize inventory collection
$inventoryReport = @()
foreach ($env in $environments) {
Write-Host "Processing environment: $($env.DisplayName)" -ForegroundColor Yellow
# Get apps in this environment
$apps = Get-AdminPowerApp -EnvironmentName $env.EnvironmentName -ErrorAction SilentlyContinue
foreach ($app in $apps) {
$inventoryReport += [PSCustomObject]@{
ItemName = $app.DisplayName
ItemType = "PowerApp"
Owner = $app.Owner.displayName
OwnerEmail = $app.Owner.email
EnvironmentName = $env.DisplayName
EnvironmentType = $env.EnvironmentType
CreatedDate = $app.CreatedTime
ModifiedDate = $app.LastModifiedTime
AppType = $app.AppType
InventoryDate = Get-Date
}
}
# Get flows in this environment
$flows = Get-AdminFlow -EnvironmentName $env.EnvironmentName -ErrorAction SilentlyContinue
foreach ($flow in $flows) {
$inventoryReport += [PSCustomObject]@{
ItemName = $flow.DisplayName
ItemType = "Flow"
Owner = $flow.Owner.displayName
OwnerEmail = $flow.Owner.email
EnvironmentName = $env.DisplayName
EnvironmentType = $env.EnvironmentType
CreatedDate = $flow.CreatedTime
ModifiedDate = $flow.LastModifiedTime
AppType = "N/A"
InventoryDate = Get-Date
}
}
}
# Export inventory to CSV
$inventoryReport | Export-Csv -Path "$exportPath\AgentInventory_$reportDate.csv" -NoTypeInformation
Write-Host "Inventory exported to: $exportPath\AgentInventory_$reportDate.csv" -ForegroundColor Green
Write-Host "Total items inventoried: $($inventoryReport.Count)" -ForegroundColor Cyan
# Evidence integrity: compute and record a SHA-256 hash for the export
$exportFile = "$exportPath\AgentInventory_$reportDate.csv"
$hash = (Get-FileHash -Path $exportFile -Algorithm SHA256).Hash
"$reportDate,AgentInventory,$exportFile,SHA256,$hash" | Out-File -FilePath "$exportPath\AgentInventory_Hashes.csv" -Append -Encoding utf8
Write-Host "Export SHA-256: $hash" -ForegroundColor Cyan
Identify Orphaned Agents
# Identify Orphaned Agents Script
# Finds agents with missing or invalid owners
$orphanedAgents = @()
# Get all apps
$allApps = Get-AdminPowerApp
foreach ($app in $allApps) {
# Check if owner email is empty or contains system account indicators
if ([string]::IsNullOrEmpty($app.Owner.email) -or
$app.Owner.email -like "*system*" -or
$app.Owner.email -like "*deleted*") {
$orphanedAgents += [PSCustomObject]@{
ItemName = $app.DisplayName
ItemType = "PowerApp"
OwnerInfo = $app.Owner.displayName
EnvironmentName = $app.EnvironmentName
CreatedDate = $app.CreatedTime
LastModified = $app.LastModifiedTime
Status = "Orphaned - No Valid Owner"
}
}
}
# Display orphaned agents
if ($orphanedAgents.Count -gt 0) {
Write-Host "Found $($orphanedAgents.Count) orphaned agents requiring remediation:" -ForegroundColor Red
$orphanedAgents | Format-Table -AutoSize
# Export for remediation
$orphanedAgents | Export-Csv -Path "C:\Governance\OrphanedAgents_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
} else {
Write-Host "No orphaned agents found." -ForegroundColor Green
}
Create Inventory Summary Report
# Generate Inventory Summary Report
# Provides executive-level summary for governance committee
$environments = Get-AdminPowerAppEnvironment
$summaryReport = @()
foreach ($env in $environments) {
$apps = Get-AdminPowerApp -EnvironmentName $env.EnvironmentName -ErrorAction SilentlyContinue
$flows = Get-AdminFlow -EnvironmentName $env.EnvironmentName -ErrorAction SilentlyContinue
$summaryReport += [PSCustomObject]@{
EnvironmentName = $env.DisplayName
EnvironmentType = $env.EnvironmentType
TotalApps = $apps.Count
TotalFlows = $flows.Count
TotalItems = $apps.Count + $flows.Count
Region = $env.Location
SecurityGroupEnabled = if ($env.SecurityGroupId) { "Yes" } else { "No" }
ReportDate = Get-Date
}
}
# Display summary
Write-Host "`n=== AGENT INVENTORY SUMMARY REPORT ===" -ForegroundColor Cyan
$summaryReport | Format-Table -AutoSize
# Total counts
$totalApps = ($summaryReport | Measure-Object -Property TotalApps -Sum).Sum
$totalFlows = ($summaryReport | Measure-Object -Property TotalFlows -Sum).Sum
Write-Host "`nTotal Apps Across All Environments: $totalApps" -ForegroundColor Green
Write-Host "Total Flows Across All Environments: $totalFlows" -ForegroundColor Green
Write-Host "Total Environments: $($environments.Count)" -ForegroundColor Green
# Export summary
$summaryReport | Export-Csv -Path "C:\Governance\InventorySummary_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
Financial Sector Considerations
Regulatory Context
Primary Regulations: FINRA 4511, SEC 17a-3/4, SOX 404, GLBA 501(b)
This guidance is US-only. If your institution operates outside the US, align inventory retention and evidence expectations to the applicable jurisdictional recordkeeping requirements.
| Regulation | Inventory Requirement |
|---|---|
| FINRA 4511 | Maintain books and records of all AI systems |
| SEC 17a-3/4 | Document systems processing customer data |
| SOX 404 | Inventory of systems in financial reporting |
| GLBA 501(b) | Track systems accessing customer information |
Examination Considerations
Regulators may request:
- Complete list of AI agents in use
- Ownership and accountability documentation
- Environment classification and controls
- Agent creation and approval history
Regulatory Mapping
| Regulation | Requirement | Inventory Implication |
|---|---|---|
| FINRA 4511 | Books and records retention | Maintain historical inventory snapshots with 6+ year retention |
| SEC 17a-3/4 | Customer record documentation | Track all agents that process or access customer data |
| SOX 404 | Internal controls documentation | Document agents used in financial reporting processes |
| OCC 2011-12 | Model Risk Management | Inventory agents as models requiring validation and monitoring |
| GLBA 501(b) | Safeguards Rule | Track agents accessing customer non-public personal information |
Tier-Specific Inventory Requirements
| Tier | Inventory Frequency | Required Metadata | Retention Period |
|---|---|---|---|
| Tier 1 (Personal Productivity) | Monthly | Basic (owner, environment, dates) | 1 year |
| Tier 2 (Team Collaboration) | Weekly | Extended (data sources, approvals, purpose) | 3 years |
| Tier 3 (Enterprise Managed) | Daily | Comprehensive (risk assessment, validation, regulatory mapping) | 6+ years |
FSI Inventory Governance Configuration
# FSI Agent Inventory Governance Configuration
# Organization: [Financial Institution Name]
# Effective Date: [Date]
inventory_governance:
policy_name: "FSI Agent Inventory and Metadata Management"
policy_version: "2.0"
owner: "AI Governance Committee"
inventory_schedule:
tier_1_personal_productivity:
frequency: "Monthly"
review_by: "IT Operations"
retention_days: 365
tier_2_team_collaboration:
frequency: "Weekly"
review_by: "Compliance Team"
retention_days: 1095
export_to_grc: true
tier_3_enterprise_managed:
frequency: "Daily"
review_by: "Risk Management"
retention_days: 2190
export_to_grc: true
alert_on_changes: true
required_metadata:
all_tiers:
- agent_name
- owner
- owner_manager
- environment
- created_date
- modified_date
tier_2_additional:
- business_purpose
- data_sources
- approval_date
- approver_name
- review_schedule
tier_3_additional:
- risk_classification
- model_validation_date
- regulatory_mapping
- incident_history
- performance_baseline
- last_audit_date
orphaned_agent_handling:
detection_frequency: "Weekly"
remediation_sla_days: 14
escalation_after_days: 7
auto_disable_after_days: 30
reporting:
executive_summary: "Monthly"
detailed_inventory: "Weekly"
exception_report: "Daily"
audit_package: "Quarterly"
Zone-Specific Configuration
Zone 1 (Personal Productivity):
- Apply a baseline minimum of Agent Inventory and Metadata Management controls that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
- Avoid expanding scope beyond the user’s own data unless explicitly justified.
- Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.
Zone 2 (Team Collaboration):
- Apply the control for shared agents and shared data sources; require an identified owner and an approval trail.
- Validate configuration in a pilot environment before broader rollout; retain evidence (screenshots/exports/logs).
- Rationale: shared agents increase blast radius; controls must be consistently applied and provable.
Zone 3 (Enterprise Managed):
- Require the strictest configuration for Agent Inventory and Metadata Management controls and enforce it via policy where possible (not manual-only).
- Treat changes as controlled (change ticket + documented testing); retain evidence (screenshots/exports/logs).
- Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.
Verification & Testing
| Step | Action | Expected Result |
|---|---|---|
| 1 | Navigate to PPAC → Manage → Inventory | Power Platform inventory displayed |
| 2 | Verify item count | All known agents visible |
| 3 | Filter by Item type = "Agent" | Only agents displayed |
| 4 | Check for orphaned agents | All agents have valid owners |
| 5 | Verify environment classification | Correct environment types shown |
| 6 | Export inventory | CSV export successful |
Orphaned Agent Detection
Agents without valid owners create governance gaps:
Identification
- Review "Owner" column in PPAC Inventory
- Look for system accounts or departed employees
- Check for agents in unexpected environments
Remediation
- Assign new owner from business unit
- Document ownership transfer
- Review agent configuration and data access
- Update governance records
See Control 3.6: Orphaned Agent Detection for detailed procedures.
Troubleshooting & Validation
Common Issues and Solutions
| Issue | Cause | Solution |
|---|---|---|
| PPAC Inventory shows 0 items | Preview feature not enabled or data not synced | Wait 24-48 hours for initial sync; verify feature is enabled in tenant settings |
| Missing agents from inventory | Agents in environments without proper access | Verify Power Platform Administrator role; check environment security settings |
| Owner shows as "System Account" | Agent created by deleted user or service principal | Follow orphaned agent remediation process; check Entra ID for user status |
| Cannot export inventory to CSV | Browser permissions or popup blocker | Disable popup blocker for PPAC; try different browser |
| PowerShell commands timeout | Large number of environments or items | Add pagination; process environments in batches; increase timeout values |
Additional Troubleshooting Steps
Issue: Inventory count differs from Copilot Studio count
- PPAC Inventory includes all item types (apps, flows, agents)
- Filter PPAC Inventory by "Item type = Agent" for accurate comparison
- Allow 24 hours for sync between Copilot Studio and PPAC Inventory
- Verify you have access to all environments in both portals
Issue: Cannot see specific environment in inventory
- Verify environment has not been deleted or disabled
- Check your role assignment for that specific environment
- Confirm environment region matches your admin center access
- Contact Global Administrator if access issues persist
Additional Resources
| Resource | Description |
|---|---|
| View agent inventory | Power Platform inventory documentation |
| Manage Copilot agents in Integrated Apps | M365 Admin Center agent management |
| Power Platform Admin Center overview | Complete PPAC documentation |
| Environment administration | Environment management and governance |
| PowerShell for Power Platform Administrators | PowerShell module documentation |
| Managed Environments overview | Governance features for environments |
Related Controls
| Control | Relationship |
|---|---|
| Control 3.2: Usage Analytics | Monitor agent activity |
| Control 3.6: Orphaned Agent Detection | Remediate unowned agents |
| Control 2.1: Managed Environments | Environment governance |
Support & Questions
For implementation support or questions about this control, contact:
- AI Governance Lead (governance direction)
- Compliance Officer (regulatory requirements)
- Power Platform Admin (technical setup)
Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification