Power Platform SSPM Control Mapping

Last Updated: February 2026 Version: v1.2.51

Point-in-Time Reference

This mapping was prepared in February 2026 based on FSI-AgentGov v1.2.51 and a representative Power Platform SSPM security assessment. Control coverage may change as the framework evolves.

Overview

SaaS Security Posture Management (SSPM) tools evaluate Power Platform environments against security baselines. This page maps common Power Platform SSPM assessment controls to their FSI-AgentGov equivalents, helping organizations cross-reference SSPM findings with framework controls.

How to Use This Document

If you are reviewing FSI-AgentGov coverage against a Power Platform SSPM assessment (such as FalconShield, Adaptive Shield, or similar):

Find your SSPM control ID in the mapping tables below
Follow the FSI-AgentGov control link(s) for full implementation details
Controls marked "Out of Scope" are intentionally excluded — see Governance Fundamentals for scope rationale
Controls marked "Platform-Inherited" are handled by Entra ID tenant configuration
The Configuration Hardening Baseline provides a consolidated checklist for SSPM-detectable settings

Coverage Summary

Coverage Level	Count	% of Included	Notes
Full Coverage	32	84%	FSI-AgentGov control fully addresses SSPM requirement
Partial Coverage	1	3%	RBAC covers core requirement; Dataverse-specific review is a future candidate
Out of Scope	5	13%	Outside FSI-AgentGov scope (Power Pages, Dynamics 365 email)
Excluded	4	N/A	Excluded (Operational/UX)
Platform-Inherited	8	N/A	Handled by Microsoft 365 / Entra ID platform

Mapping by Category

Authentication & Access Control

SSPM Control	FSI-AgentGov Control(s)	Coverage	Notes
SSPM-4: User Authentication Required	1.11, 1.23, 2.8	Full	Comprehensive authentication with MFA and step-up auth
SSPM-5: Require Users to Sign In	1.11	Full	Phishing-resistant authentication mandated
SSPM-6: Auth Bypass Prevention	1.11, 1.23	Full	No bypass scenarios allowed
SSPM-2: Prevent Unauthorized Actions	1.18, 2.8	Full	RBAC + agent action consent ("Ask the user before running this action")
SSPM-23: Unrestricted Access to AI Agents	1.1, 1.2, 2.2	Full	Zone-based access with security groups
SSPM-32: Configure Security Groups	2.2, 1.18	Full	Managed Environments with RBAC
SSPM-38: Set PPAC/Environment Admins	2.8	Full	Least privilege admin roles

Data Protection & DLP

SSPM Control	FSI-AgentGov Control(s)	Coverage	Notes
SSPM-7: Blocked Attachments	1.5, 1.17	Full	DLP policies enforce file extension blocking
SSPM-10: MIME Type Restriction	1.25	Full	Added in v1.2.49; comprehensive MIME/extension blocking with zone-tiered enforcement
SSPM-30: Tenant Isolation	1.20, 1.4	Full	ACP + network isolation
SSPM-33: Block Agent Publishing via DLP	1.4, 1.1	Full	Connector-level DLP
SSPM-39: Set DLP in PPAC	1.4, 1.5	Full	Comprehensive DLP guidance
SSPM-34: Block Shared Agents	1.2, 3.1	Full	Agent registry + M365 Admin Center blocking

Monitoring, Logging & Audit

SSPM Control	FSI-AgentGov Control(s)	Coverage	Notes
SSPM-9: Audit Logging Enabled	1.7, 3.9	Full	Comprehensive logging + Sentinel SIEM
SSPM-11: Audit Log Retention (≥180 days)	1.9, 1.7	Full	10-year retention for Zone 3 (exceeds 180-day minimum)
SSPM-31: Dataverse Auditing Policy	1.7, 2.1	Full	Managed Environments enforce Dataverse auditing
SSPM-36: Conversational Transcript Access	1.19, 2.13	Full	eDiscovery + RBAC controls

Session & Email Security

SSPM Control	FSI-AgentGov Control(s)	Coverage	Notes
SSPM-8: Inactivity Timeout (≤120 min)	2.22	Full	Zone 2 ≤120 min, Zone 3 ≤60 min (added v1.2.46)
SSPM-12: Session Expiration (≤1440 min)	2.22, 3.7	Full	Session expiration documented in 3.7 hardening baseline; cross-referenced from 2.22
SSPM-22: Mailbox Access in Dynamics	1.18	Partial	RBAC covers access control; Dataverse-specific mailbox review is a candidate for future Pillar 2 control

AI-Specific Features & Safety

SSPM Control	FSI-AgentGov Control(s)	Coverage	Notes
SSPM-18: AI Prompts Access	1.14, 2.16	Full	Scope control + RAG validation
SSPM-24: Generative Actions Enabled	2.17, 2.20	Full	Orchestration limits + adversarial testing
SSPM-25: File Analysis Enabled	1.6, 1.14	Full	DSPM + scope controls
SSPM-26: Model Knowledge	1.14, 2.16	Full	Scope + RAG validation
SSPM-27: Semantic Search	4.6, 4.1	Full	IAG (RCD/RSS) + grounding scope
SSPM-28: Content Moderation	1.10, 2.11	Full	Compliance monitoring + bias testing
SSPM-37: Block Generative AI Features	1.4, 2.1	Full	ACP + Managed Environments
SSPM-42: Connected Agent Access	2.17, 1.22	Full	Orchestration limits + information barriers

Environment & Lifecycle Management

SSPM Control	FSI-AgentGov Control(s)	Coverage	Notes
SSPM-29: Block Bot Publishing via AI	1.1, 2.3	Full	Publishing restrictions + change control
SSPM-35: Restrict Environment Creation	2.2, 2.15	Full	Tenant-level provisioning controls
SSPM-40: Environment Routing	2.15	Full	Regional routing
SSPM-41: Managed Environments	2.1	Full	Core governance control
SSPM-19: CSP Enforcement	3.7	Full	CSP enforcement documented in PPAC security posture hardening baseline

Controls Not Mapped

The following SSPM controls have no FSI-AgentGov equivalent by design:

Out of Scope (Power Pages)

SSPM Control	Reason
SSPM-1: Power Pages Table Permissions	Power Pages portal security is outside FSI-AgentGov scope (focused on Copilot Studio/Agent Builder)
SSPM-17: Old Pending Invitations (Portal)	Power Pages invitation lifecycle management is outside scope

Out of Scope (Dynamics 365 Email)

SSPM Control	Reason
SSPM-13: Email Message Content Restriction	Dynamics 365 server-side sync setting; Copilot Studio uses MCP-based email channels
SSPM-15: Process Emails - Approved Queues	Dynamics 365 server-side sync feature, not applicable to AI agent governance
SSPM-16: Process Emails - Approved Users	Same as SSPM-15

Excluded (Operational)

SSPM Control	Reason
SSPM-3: User-Defined Action Messages	UX governance, not a security control
SSPM-14: Emails with Unresolved Recipients	Data quality, not security
SSPM-20: Email Notifications	Operational alerting
SSPM-21: Activities Visibility	UI feature

Platform-Inherited (Entra ID)

SSPM Control	Reason
SSPM-ORG-1 through SSPM-ORG-8: Organization SSO/Auth Standards	Handled by the organization's Entra ID SSO integration; no additional FSI-AgentGov controls needed

SSPM control SSPM-2 (Prevent Unauthorized Agent Actions) maps to two complementary FSI-AgentGov controls:

Control 1.18 — Agent action consent: "Ask the user before running this action" for all agent actions in Zone 2/3
Control 2.23 — AI disclosure consent: User acknowledgment of AI interaction with 90-day re-acknowledgment cycle

Updated: February 2026 | Version: v1.2.51 | Source: Power Platform SSPM Assessment