Control 2.16: Federated Copilot Connector and Model Context Protocol (MCP) Governance

Control ID: 2.16 Pillar: Security & Protection Regulatory Reference: GLBA §501(b), SEC Reg S-P, FFIEC, OCC Bulletin 2023-17 Last Verified: 2026-06-05 Governance Levels: Baseline / Recommended / Regulated

Scope boundary: FSI-CopilotGov vs FSI-AgentGov

This control governs the Microsoft 365 Copilot surface only — tenant-level configuration, data-source posture, audit/eDiscovery, and admin-managed extensibility. Governance of the agents themselves (Copilot Studio agents, declarative agents, Agent Builder, custom pro-code agents) — including agent registration, risk tiering, environment zoning, model-card review, and lifecycle promotion — lives in the companion FSI-AgentGov framework. See Relationship to FSI-AgentGov for the full boundary map.

Objective

Establish governance controls for federated Copilot connectors using the Model Context Protocol (MCP) — a real-time data retrieval mechanism that is architecturally distinct from plugins and Graph connectors. Federated connectors authenticate with user credentials (not admin-managed service accounts), retrieve live data from external sources without indexing, and are enabled by default in M365 tenants. This control supports compliance with GLBA safeguard requirements, SEC Reg S-P privacy obligations, and FFIEC expectations for third-party data access governance.

Why This Matters for FSI

GLBA §501(b) requires safeguards for customer information systems — federated connectors introduce real-time external data flows into Copilot responses, expanding the security boundary beyond Microsoft's managed environment
SEC Reg S-P (248.30) requires safeguarding customer records and information — user-credential-based connectors that pull external data into Copilot responses may expose customer information to third-party services without centralized data governance review
FFIEC IT Examination Handbook (Information Security) expects controls over API access and external data connections — federated connectors bypass the traditional Graph connector indexing model, creating a new unindexed data flow
OCC Bulletin 2023-17 (Third-Party Relationships: Risk Management) rescinded and replaced OCC Bulletin 2013-29; it requires risk management throughout the third-party relationship lifecycle — each federated connector vendor (Canva, HubSpot, Notion, Linear, Google services) is a third-party data processor
Interagency AI Guidance (2023) expects institutions to understand data sources used for AI-generated outputs — federated connectors introduce external data into Copilot responses that may not be subject to the same data quality and accuracy controls as internal data

Control Description

Cross-tenant scope: Cross-tenant federation patterns (Entra Agent ID trust, MCP federated server attestation, Copilot Studio multi-tenant publishing) are addressed by Control 2.17 — Cross-Tenant Agent Federation, which extends this control to multi-tenant scenarios.

What Are Federated Copilot Connectors?

Federated Copilot connectors use the Model Context Protocol (MCP) to retrieve real-time data from third-party sources. Unlike Graph connectors (which index external data into the Microsoft 365 Graph), federated connectors query external sources live at the time of the Copilot interaction.

Architectural Differences from Graph Connectors

Characteristic	Graph Connectors (Control 2.13)	Federated Connectors (This Control)
Data model	Indexed — data is ingested into M365 Graph	Live retrieval — data is fetched in real time
Authentication	Admin-managed service accounts or app-only	User credentials (delegated)
Data residency	Data resides in M365 tenant	Data resides at the external source
Admin control	Admin deploys and manages	Enabled by default; user-initiated authentication
DLP coverage	Indexed data subject to M365 DLP policies	Real-time data may not be subject to DLP until surfaced in response
Audit trail	Connector ingestion events in Purview audit log	Connector invocation events in Purview audit log
Default state	Admin-deployed	Enabled by default for all users

Supported Federated Connectors (as of April 2026)

Federated connectors are available for services including Canva, HubSpot, Notion, Linear, Google Contacts, Google Calendar, and additional connectors in the expanding MCP ecosystem. The connector catalog is evolving — organizations should monitor the M365 Admin Center for newly available connectors.

Risk Profile for FSI

User authenticates personal/work account with third-party service
                          │
                          ▼
              ┌───────────────────────┐
              │ Federated Connector   │
              │ (MCP Protocol)        │
              │                       │
              │ ├─ User credential    │  ← No admin consent gate
              │ ├─ Real-time query    │  ← Data not indexed/cached
              │ ├─ External response  │  ← May include PII, NPI
              │ └─ Injected into      │
              │    Copilot context    │  ← Becomes part of AI response
              └───────────────────────┘
                          │
                          ▼
              Copilot response includes external data
              (subject to whatever DLP policies apply
               at the response layer)

Key FSI risks:

No centralized data review: Users authenticate directly with external services — there is no admin consent gate or data ingestion review before data flows into Copilot responses
Personal account mixing: A trader or advisor could authenticate a personal Google Calendar or Notion workspace, introducing personal data into regulated Copilot workflows
Data residency bypass: External data is fetched from the third party's infrastructure, potentially outside the firm's approved data residency boundaries
Chinese wall violations: Federated connector data from one business unit's external tools could be surfaced in another unit's Copilot responses if information barriers do not extend to federated data flows

Copilot Surface Coverage

M365 Application	Federated Connector Support	Notes
Microsoft 365 Copilot Chat (Researcher)	Yes	Primary surface for federated connectors
Microsoft 365 Copilot Chat (Standard)	Expanding	Rolling out to standard Microsoft 365 Copilot Chat
Excel (Agent Mode)	Expanding	Federated data available in Agent Mode
Word	Planned	Future expansion
Teams	Planned	Future expansion
Outlook	Planned	Future expansion

Governance Levels

Level	Requirement	Rationale
Baseline	Disable all federated connectors tenant-wide via M365 Admin Center; document the restriction rationale; monitor Message Center for new connector availability	Maximum restriction — eliminates real-time external data flow risk during initial governance assessment
Recommended	Selectively enable approved federated connectors; restrict availability to specific user groups via Entra security groups; require security review before enabling each connector; quarterly review of enabled connectors and usage patterns; block connectors that access personal account data	Controlled enablement with formal approval — suitable for firms that need specific external data integrations
Regulated	All Recommended requirements plus: full third-party risk assessment for each connector vendor; connector-specific DLP policies at the response layer; real-time monitoring of connector invocation patterns; connector usage included in examination evidence packages; annual connector security re-assessment; information barrier verification for connector data flows	Comprehensive connector governance — designed for firms where external real-time data access requires formal risk management equivalent to third-party vendor onboarding

Setup & Configuration

Step 1: Assess Current Federated Connector and MCP Tool State

Portal: Microsoft 365 Admin Center > Agents > Tools (where licensed) and Microsoft 365 Admin Center > Settings > Integrated apps

Federated connectors and MCP-based tools are governed from two complementary surfaces:

Agents > Tools is the primary surface for AI-powered tools and Model Context Protocol (MCP) servers available to agents. This page is rolling out to Frontier tenants and may not yet be available in every region.
- Filter by Type = MCP Server to enumerate MCP-based tools that are currently Available or Blocked.
- Note that MCP servers can be Microsoft-published (for example, Work IQ Calendar, Mail, SharePoint, OneDrive, Teams) or registered through the Bring Your Own (BYO) MCP server flow.
Until Agents > Tools is available in your tenant, review federated connector availability through Settings > Integrated apps (for legacy connector inventory) and the Microsoft 365 Copilot connector catalog surfaced in the supported Copilot apps. Note that federated connectors and MCP servers are enabled by default in licensed tenants — if no governance action has been taken, all generally available connectors and Microsoft-published MCP servers are active.
Record current state in the connector and tool inventory, including connector vendor, MCP server publisher, scope of users with access, and whether the connector authenticates with work or personal accounts.

Step 2: Disable or Restrict Federated Connectors and MCP Tools (Baseline)

Portal: Microsoft 365 Admin Center > Agents > Tools (where licensed); fall back to Microsoft 365 Admin Center > Settings > Integrated apps for surfaces not yet exposed under Tools

For Baseline governance, Block all non-essential MCP servers and federated connectors via the Tools toolbar (or disable them through Integrated apps where Tools is not yet available).
Document the restriction rationale in your governance records.
For BYO MCP server registration requests, enforce a "default deny" stance — leave the Requests tab queue empty (or reject pending requests) until the registration approval workflow in Step 3 is in place.

# Federated connector availability now supports PowerShell management.
# The Set-FederatedConnectorToggle cmdlet enables or disables federated
# connectors tenant-wide (authenticate with Global Administrator or AI
# Administrator credentials). The tenant toggle also applies to future
# connectors: when disabled, new connectors appear disabled by default.
Set-FederatedConnectorToggle    # displays current state, then prompts Enable/Disable
# Changes can take up to 10 minutes to propagate across Microsoft 365 experiences.
# Re-run Set-FederatedConnectorToggle to verify the current configuration.
# Per-connector and MCP tool approval remains in the M365 Admin Center > Agents > Tools.

# Verify connector settings via admin center audit
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
  -Operations "Set-CopilotConnectorPolicy","CopilotConnectorInvoked" -ResultSize 5000

Step 3: Selective Enablement and MCP Server Approval (Recommended/Regulated)

Portal: Microsoft 365 Admin Center > Agents > Tools > Requests tab

For organizations that need specific federated connectors or MCP servers, use the centralized approval workflow:

From Agents > Tools, select the Requests tab to review pending MCP server registration requests. Each pending request shows the server name, publisher, requested-by user, and request date.
Review the server information, declared tools, and requested capabilities for accuracy and policy alignment.
Select Approve to make the server available in the organizational registry, or Reject to deny the request — record the decision rationale.
After Approve, the portal prompts for the Microsoft Entra permissions the MCP server requires. Review the requested permissions and grant Entra consent only if the scopes are least-privilege and aligned with the firm's approved data classifications. The server is unavailable to agent-building surfaces until consent is granted.
After approval, allow up to 30 minutes for the MCP server to appear in all Microsoft Copilot Studio environments in the tenant.

Wrap the portal approval flow in the firm's broader connector and MCP server intake process:

Step	Owner	Deliverable
1. Business request	Requesting department	Business justification for specific connector or MCP server
2. Security review	Information Security	Data flow analysis, vendor assessment, requested Entra permission scopes
3. Privacy review	Privacy/Legal	Privacy impact assessment for external data access
4. Compliance review	Compliance	Regulatory risk assessment (GLBA §501(b), Reg S-P implications)
5. User scoping	IT Operations	Restrict connector/tool to approved Entra security groups
6. Approve in portal	M365 Global Admin	Approve in Agents > Tools > Requests (or enable via Integrated apps for legacy surfaces) and grant Entra consent
7. Monitor usage	Information Security	Monthly review of connector and MCP server invocation patterns

Step 4: Monitor Federated Connector Activity

# Search audit logs for federated connector invocations
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
  -RecordType "CopilotInteraction" -ResultSize 5000 |
  Where-Object { $_.AuditData -like "*FederatedConnector*" -or $_.AuditData -like "*MCP*" }

# Review connector authentication events
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
  -Operations "UserLoggedIn" -ResultSize 5000 |
  Where-Object { $_.AuditData -like "*connector*" }

Step 5: Personal Account Policy

For FSI environments, establish a clear policy on personal account authentication:

Prohibited connectors: Block connectors that primarily authenticate with personal accounts (e.g., personal Google Calendar, personal Notion)
Work account only: For approved connectors, require authentication with work/enterprise accounts only
User acknowledgment: Require users to acknowledge that connector-accessed data may be included in Copilot responses subject to firm retention and compliance policies

Financial Sector Considerations

Third-party risk management: Each federated connector vendor should be assessed under the firm's third-party risk management framework. Unlike Graph connectors where data is ingested into the M365 tenant, federated connector data remains at the third party's infrastructure — the risk assessment should address data processing, storage, and access controls at the vendor level.
Data residency implications: Federated connectors retrieve data from external services that may process and store data outside the firm's approved jurisdictions. Organizations should verify that each enabled connector's data residency posture aligns with regulatory and contractual requirements (see Control 2.7 — Data Residency).
Information barrier scope: Organizations using information barriers for Chinese wall compliance (Control 2.4) should verify whether barriers extend to federated connector data flows. A connector that retrieves data from a shared external workspace could bypass internal information barriers.
Audit trail completeness: Federated connector invocations should appear in the Purview unified audit log. Organizations should verify that connector events are captured with sufficient detail (connector name, data source, user identity) for examination readiness.
Model risk considerations: Copilot responses that incorporate federated connector data combine internal and external data sources. For model risk management purposes (Control 3.8), organizations should assess whether the provenance and accuracy of federated data meets the firm's data quality standards for AI-generated outputs.

Work IQ MCP Server Catalog

The Work IQ MCP server catalog provides Microsoft-published MCP servers that surface M365 data to Copilot agents. These servers are distinct from third-party federated connectors — they operate within the M365 compliance boundary and authenticate via the user's existing M365 permissions:

MCP Server	Data Source	Default State	FSI Considerations
Work IQ Calendar	Exchange Online calendar events	Available	Surfaces meeting schedules including MNPI-related meetings; review information barrier interaction
Work IQ Mail	Exchange Online mailbox	Available	May surface sensitive email content in agent responses; coordinate with DLP policies (Control 2.1)
Work IQ SharePoint	SharePoint Online sites and libraries	Available	Subject to same oversharing risks as standard Copilot grounding; governed by Controls 1.2, 1.7
Work IQ OneDrive	OneDrive for Business	Available	May surface personally shared files in agent responses
Work IQ Teams	Teams messages and channels	Available	Subject to information barrier controls (Control 2.4)

Organizations should review which Work IQ MCP servers are appropriate for their agent deployments and block servers that create unacceptable data exposure risk. Unlike third-party MCP servers that require the Agents > Tools > Requests approval workflow, Work IQ servers are Microsoft-published and available by default.

Defender Advanced Hunting for MCP Telemetry

Microsoft Defender XDR advanced hunting provides query-based telemetry for MCP server and federated connector activity. Organizations should configure hunting queries to monitor for:

Telemetry Signal	Advanced Hunting Query Focus	FSI Application
MCP server invocations	`CloudAppEvents` where `ActionType` includes MCP-related operations	Track which MCP servers agents are invoking and at what volume — high-volume invocations may indicate data exfiltration attempts
Connector authentication events	`AADSignInEventsBeta` where `AppDisplayName` includes connector services	Detect personal account authentication attempts to blocked connectors
Agent-to-connector data flow	Correlate `CloudAppEvents` (connector invocation) with `CopilotInteraction` events	Reconstruct the full data flow from agent request → connector invocation → response generation
Anomalous connector usage	Baseline normal connector invocation patterns; alert on statistical deviation	Detect compromised agents using connectors for unauthorized data access

Preview/production caveats: MCP server governance is evolving rapidly. Organizations should:

Monitor Microsoft 365 Message Center for changes to the Agents > Tools interface and MCP server management capabilities
Distinguish between GA and preview MCP servers in their governance inventory — preview servers may have different SLAs, data handling commitments, or feature limitations
Test new MCP server enablement in a pilot group before broad deployment

Verification Criteria

#	Verification Step	Expected Result	Governance Level
1	Review federated connector status in M365 Admin Center	Connectors are disabled (Baseline) or restricted to approved connectors only	Baseline
2	Verify no unauthorized connector authentications	Audit log shows no connector authentication events from unapproved user groups	Baseline
3	Confirm connector inventory is documented	Current list of enabled connectors with vendor, data flow, and last review date	Recommended
4	Test connector user scoping	Unapproved users cannot authenticate or invoke federated connectors	Recommended
5	Verify third-party risk assessment exists	Each enabled connector vendor has a current risk assessment on file	Recommended
6	Test DLP policy coverage for connector data	Connector-sourced data in Copilot responses triggers applicable DLP policies	Regulated
7	Verify information barrier scope	Connector data flows respect information barrier boundaries	Regulated
8	Review connector usage audit trail	Connector invocation events appear in Purview audit log with required detail	Regulated
9	Confirm examination-ready documentation	Connector inventory, risk assessments, and usage reports are packaged for examination	Regulated
10	Run quarterly connector re-assessment	All enabled connectors have been re-assessed within the last quarter	Regulated

Additional Resources

FSI Copilot Governance Framework v1.4 - April 2026