Control 1.13: Extensibility Readiness — Troubleshooting
Common issues and resolution steps for Copilot extensibility governance.
Common Issues
Issue 1: Third-Party Apps Installed Despite Block Policy
- Symptoms: Users have third-party Teams apps or Copilot extensions installed that should be blocked by the permission policy
- Root Cause: The app permission policy may not be assigned to all users, or the user may have been assigned a different policy that allows third-party apps. Admin-installed apps bypass user-level policies.
- Resolution:
- Verify the user's assigned app permission policy:
Get-CsOnlineUser -Identity <upn> | Select-Object TeamsAppPermissionPolicy - Check if the app was installed by an admin (admin installations are not blocked by user policies)
- Review the specific policy assigned to the user for third-party app settings
- Reassign the correct restrictive policy if the user has the wrong policy
Issue 2: Graph Connector Ingesting Unintended Content
- Symptoms: Copilot responses reference content from external systems that should not be accessible, or connector is ingesting more data than expected
- Root Cause: Graph connector configuration may have an overly broad data scope, or the access control list (ACL) on ingested items may be too permissive.
- Resolution:
- Review the connector configuration for data scope settings
- Verify the ACL mapping is correctly restricting access to ingested items
- Adjust the connector's crawl scope to include only approved content
- If needed, pause the connector and re-crawl with corrected settings
- Test with a standard user to verify content access restrictions
Issue 3: Custom Agent Fails Security Review
- Symptoms: A custom Copilot agent built in Copilot Studio fails the security review and cannot be deployed to production
- Root Cause: The agent may access data sources without proper authentication, expose sensitive data in responses, or lack proper error handling for edge cases.
- Resolution:
- Review the specific security findings and categorize by severity
- Address authentication issues by implementing proper credential management
- Add data masking or filtering for sensitive data in agent responses
- Implement input validation and error handling for edge cases
- Re-submit for security review after addressing all findings
Issue 4: Extension Approval Process Causing Deployment Delays
- Symptoms: Business teams report long wait times for extension approvals, causing frustration and potential shadow IT risk
- Root Cause: The approval process may lack defined SLAs, have unclear ownership, or require too many approval steps for low-risk extensions.
- Resolution:
- Define SLAs for extension approval based on risk level (24h for low, 5 days for medium, 15 days for high)
- Create a pre-approved extensions list for common, low-risk Microsoft first-party extensions
- Implement a tiered review process — lightweight for low-risk, comprehensive for high-risk
- Assign a dedicated approver or approval team with backup coverage
Issue 5: Extension Version Updates Bypass Governance
- Symptoms: Approved extensions receive automatic updates that change their data access scope or capabilities without re-review
- Root Cause: Teams app and Graph connector updates may be applied automatically, and the new version may have different permissions or capabilities.
- Resolution:
- Configure Teams admin policies to control automatic app updates where possible
- Implement monitoring using Script 4 to detect extension changes
- Establish a re-review trigger when an extension's permissions change
- Subscribe to Microsoft 365 Message Center for announcements about extension capability changes
- Maintain a version log for all approved extensions
Diagnostic Steps
- Inventory current state: Run all four scripts to get a complete picture
- Check policies: Verify app permission policies are assigned to all Copilot users
- Review approvals: Cross-reference active extensions against approval records
- Test restrictions: Attempt to install a blocked extension to verify policies work
- Audit connectors: Review each Graph connector's configuration and access scope
Escalation
| Severity | Condition | Escalation Path |
|---|---|---|
| Low | Approval process delays | Governance team for process improvement |
| Medium | Unauthorized extensions detected on a few users | Security Operations for remediation |
| High | Graph connector exposing sensitive data | Security Operations and CISO |
| Critical | Widespread unauthorized extension deployment | CISO and governance committee immediately |
Related Resources
- Portal Walkthrough — Extension governance setup
- PowerShell Setup — Extension management scripts
- Verification & Testing — Governance validation