Control 2.16: Federated Copilot Connector and Model Context Protocol (MCP) Governance

Control ID: 2.16 Pillar: Security & Protection Regulatory Reference: GLBA 501(b), Reg S-P, FFIEC, OCC Bulletin 2023-17 Last Verified: 2026-04-09 Governance Levels: Baseline / Recommended / Regulated

Objective

Establish governance controls for federated Copilot connectors using the Model Context Protocol (MCP) — a real-time data retrieval mechanism that is architecturally distinct from plugins and Graph connectors. Federated connectors authenticate with user credentials (not admin-managed service accounts), retrieve live data from external sources without indexing, and are enabled by default in M365 tenants. This control supports compliance with GLBA safeguard requirements, SEC Reg S-P privacy obligations, and FFIEC expectations for third-party data access governance.

Why This Matters for FSI

GLBA 501(b) requires safeguards for customer information systems — federated connectors introduce real-time external data flows into Copilot responses, expanding the security boundary beyond Microsoft's managed environment
SEC Reg S-P (248.30) requires safeguarding customer records and information — user-credential-based connectors that pull external data into Copilot responses may expose customer information to third-party services without centralized data governance review
FFIEC IT Examination Handbook (Information Security) expects controls over API access and external data connections — federated connectors bypass the traditional Graph connector indexing model, creating a new unindexed data flow
OCC Bulletin 2023-17 (Third-Party Relationships: Risk Management) rescinded and replaced OCC Bulletin 2013-29; it requires risk management throughout the third-party relationship lifecycle — each federated connector vendor (Canva, HubSpot, Notion, Linear, Google services) is a third-party data processor
Interagency AI Guidance (2023) expects institutions to understand data sources used for AI-generated outputs — federated connectors introduce external data into Copilot responses that may not be subject to the same data quality and accuracy controls as internal data

Control Description

What Are Federated Copilot Connectors?

Federated Copilot connectors use the Model Context Protocol (MCP) to retrieve real-time data from third-party sources. Unlike Graph connectors (which index external data into the Microsoft 365 Graph), federated connectors query external sources live at the time of the Copilot interaction.

Architectural Differences from Graph Connectors

Characteristic	Graph Connectors (Control 2.13)	Federated Connectors (This Control)
Data model	Indexed — data is ingested into M365 Graph	Live retrieval — data is fetched in real time
Authentication	Admin-managed service accounts or app-only	User credentials (delegated)
Data residency	Data resides in M365 tenant	Data resides at the external source
Admin control	Admin deploys and manages	Enabled by default; user-initiated authentication
DLP coverage	Indexed data subject to M365 DLP policies	Real-time data may not be subject to DLP until surfaced in response
Audit trail	Connector ingestion events in Purview audit log	Connector invocation events in Purview audit log
Default state	Admin-deployed	Enabled by default for all users

Supported Federated Connectors (as of April 2026)

Federated connectors are available for services including Canva, HubSpot, Notion, Linear, Google Contacts, Google Calendar, and additional connectors in the expanding MCP ecosystem. The connector catalog is evolving — organizations should monitor the M365 Admin Center for newly available connectors.

Risk Profile for FSI

User authenticates personal/work account with third-party service
                          │
                          ▼
              ┌───────────────────────┐
              │ Federated Connector   │
              │ (MCP Protocol)        │
              │                       │
              │ ├─ User credential    │  ← No admin consent gate
              │ ├─ Real-time query    │  ← Data not indexed/cached
              │ ├─ External response  │  ← May include PII, NPI
              │ └─ Injected into      │
              │    Copilot context    │  ← Becomes part of AI response
              └───────────────────────┘
                          │
                          ▼
              Copilot response includes external data
              (subject to whatever DLP policies apply
               at the response layer)

Key FSI risks:

No centralized data review: Users authenticate directly with external services — there is no admin consent gate or data ingestion review before data flows into Copilot responses
Personal account mixing: A trader or advisor could authenticate a personal Google Calendar or Notion workspace, introducing personal data into regulated Copilot workflows
Data residency bypass: External data is fetched from the third party's infrastructure, potentially outside the firm's approved data residency boundaries
Chinese wall violations: Federated connector data from one business unit's external tools could be surfaced in another unit's Copilot responses if information barriers do not extend to federated data flows

Copilot Surface Coverage

M365 Application	Federated Connector Support	Notes
Microsoft 365 Copilot Chat (Researcher)	Yes	Primary surface for federated connectors
Microsoft 365 Copilot Chat (Standard)	Expanding	Rolling out to standard M365 Chat
Excel (Agent Mode)	Expanding	Federated data available in Agent Mode
Word	Planned	Future expansion
Teams	Planned	Future expansion
Outlook	Planned	Future expansion

Governance Levels

Level	Requirement	Rationale
Baseline	Disable all federated connectors tenant-wide via M365 Admin Center; document the restriction rationale; monitor Message Center for new connector availability	Maximum restriction — eliminates real-time external data flow risk during initial governance assessment
Recommended	Selectively enable approved federated connectors; restrict availability to specific user groups via Entra security groups; require security review before enabling each connector; quarterly review of enabled connectors and usage patterns; block connectors that access personal account data	Controlled enablement with formal approval — suitable for firms that need specific external data integrations
Regulated	All Recommended requirements plus: full third-party risk assessment for each connector vendor; connector-specific DLP policies at the response layer; real-time monitoring of connector invocation patterns; connector usage included in examination evidence packages; annual connector security re-assessment; information barrier verification for connector data flows	Comprehensive connector governance — designed for firms where external real-time data access requires formal risk management equivalent to third-party vendor onboarding

Setup & Configuration

Step 1: Assess Current Connector State

Portal: Microsoft 365 Admin Center > Settings > Copilot

Navigate to the Copilot settings page
Review the federated connectors section to identify which connectors are currently enabled
Note that connectors are enabled by default — if no action has been taken, all available connectors are active

Step 2: Disable or Restrict Federated Connectors (Baseline)

Portal: Microsoft 365 Admin Center > Settings > Copilot > Federated connectors

For Baseline governance, disable all federated connectors
Document the restriction rationale in your governance records

# Review current connector status (check M365 Admin Center for PowerShell cmdlet availability)
# As of April 2026, connector management is primarily portal-based
# Monitor for PowerShell/Graph API availability for bulk management

# Verify connector settings via admin center audit
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
  -Operations "Set-CopilotConnectorPolicy","CopilotConnectorInvoked" -ResultSize 5000

Step 3: Selective Enablement (Recommended/Regulated)

For organizations that need specific federated connectors:

Step	Owner	Deliverable
1. Business request	Requesting department	Business justification for specific connector
2. Security review	Information Security	Data flow analysis and vendor assessment
3. Privacy review	Privacy/Legal	Privacy impact assessment for external data access
4. Compliance review	Compliance	Regulatory risk assessment (GLBA, Reg S-P implications)
5. User scoping	IT Operations	Restrict connector to approved Entra security groups
6. Enable connector	M365 Admin	Enable approved connector for scoped user population
7. Monitor usage	Information Security	Monthly review of connector invocation patterns

Step 4: Monitor Federated Connector Activity

# Search audit logs for federated connector invocations
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) `
  -RecordType "CopilotInteraction" -ResultSize 5000 |
  Where-Object { $_.AuditData -like "*FederatedConnector*" -or $_.AuditData -like "*MCP*" }

# Review connector authentication events
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
  -Operations "UserLoggedIn" -ResultSize 5000 |
  Where-Object { $_.AuditData -like "*connector*" }

Step 5: Personal Account Policy

For FSI environments, establish a clear policy on personal account authentication:

Prohibited connectors: Block connectors that primarily authenticate with personal accounts (e.g., personal Google Calendar, personal Notion)
Work account only: For approved connectors, require authentication with work/enterprise accounts only
User acknowledgment: Require users to acknowledge that connector-accessed data may be included in Copilot responses subject to firm retention and compliance policies

Financial Sector Considerations

Third-party risk management: Each federated connector vendor should be assessed under the firm's third-party risk management framework. Unlike Graph connectors where data is ingested into the M365 tenant, federated connector data remains at the third party's infrastructure — the risk assessment should address data processing, storage, and access controls at the vendor level.
Data residency implications: Federated connectors retrieve data from external services that may process and store data outside the firm's approved jurisdictions. Organizations should verify that each enabled connector's data residency posture aligns with regulatory and contractual requirements (see Control 2.7 — Data Residency).
Information barrier scope: Organizations using information barriers for Chinese wall compliance (Control 2.4) should verify whether barriers extend to federated connector data flows. A connector that retrieves data from a shared external workspace could bypass internal information barriers.
Audit trail completeness: Federated connector invocations should appear in the Purview unified audit log. Organizations should verify that connector events are captured with sufficient detail (connector name, data source, user identity) for examination readiness.
Model risk considerations: Copilot responses that incorporate federated connector data combine internal and external data sources. For model risk management purposes (Control 3.8), organizations should assess whether the provenance and accuracy of federated data meets the firm's data quality standards for AI-generated outputs.

Verification Criteria

#	Verification Step	Expected Result	Governance Level
1	Review federated connector status in M365 Admin Center	Connectors are disabled (Baseline) or restricted to approved connectors only	Baseline
2	Verify no unauthorized connector authentications	Audit log shows no connector authentication events from unapproved user groups	Baseline
3	Confirm connector inventory is documented	Current list of enabled connectors with vendor, data flow, and last review date	Recommended
4	Test connector user scoping	Unapproved users cannot authenticate or invoke federated connectors	Recommended
5	Verify third-party risk assessment exists	Each enabled connector vendor has a current risk assessment on file	Recommended
6	Test DLP policy coverage for connector data	Connector-sourced data in Copilot responses triggers applicable DLP policies	Regulated
7	Verify information barrier scope	Connector data flows respect information barrier boundaries	Regulated
8	Review connector usage audit trail	Connector invocation events appear in Purview audit log with required detail	Regulated
9	Confirm examination-ready documentation	Connector inventory, risk assessments, and usage reports are packaged for examination	Regulated
10	Run quarterly connector re-assessment	All enabled connectors have been re-assessed within the last quarter	Regulated

Additional Resources

FSI Copilot Governance Framework v1.4 - April 2026