Control 1.13: Extensibility Readiness — Verification & Testing
Test cases and evidence collection for validating Copilot extensibility governance.
Test Cases
Test 1: Extension Inventory Completeness
- Objective: Verify all active Copilot extensions are documented and approved
- Steps:
- Run PowerShell Script 1 to generate the current app inventory
- Run Script 2 to list active Graph connectors
- Cross-reference against the approved extensions list
- Identify any unauthorized or undocumented extensions
- Expected Result: All active extensions are documented in the approved list
- Evidence: Extension inventory with approval status annotations
Test 2: Extension Governance Policy Enforcement
- Objective: Confirm governance policies prevent unauthorized extension installation
- Steps:
- As a standard user, attempt to install a third-party Teams app that is not on the approved list
- Verify the installation is blocked by the permission policy
- Verify the appropriate error message is displayed
- Confirm the blocked attempt is logged
- Expected Result: Unauthorized extension installation is blocked by policy
- Evidence: Screenshot of blocked installation attempt and audit log entry
Test 3: Graph Connector Data Access Review
- Objective: Verify each Graph connector's data access scope is appropriate
- Steps:
- For each active Graph connector, review the data source and access permissions
- Verify the connector only ingests data that is approved for Copilot grounding
- Confirm access controls on ingested content align with the data classification
- Verify connector configurations have governance approval documentation
- Expected Result: All Graph connectors have appropriate, documented data access scopes
- Evidence: Connector configuration review with governance approval records
Test 4: Extension Approval Workflow Validation
- Objective: Verify the extension approval process works as designed
- Steps:
- Submit a test extension approval request through the documented process
- Verify the request routes to the correct reviewers
- Confirm the security review and data access assessment steps are executed
- Verify the approval or rejection is documented and communicated
- Expected Result: Approval workflow functions correctly with all review steps completed
- Evidence: Test approval request with workflow step documentation
Test 5: Custom Agent Governance Compliance
- Objective: Verify custom-built agents meet governance requirements
- Steps:
- Identify any custom agents deployed via Copilot Studio
- Review each agent's data source configuration and access scope
- Verify each agent has passed the required security review
- Confirm each agent has governance committee approval
- Expected Result: All custom agents comply with governance requirements
- Evidence: Agent configuration review with approval documentation
Evidence Collection
| Evidence Item |
Format |
Storage Location |
Retention |
| Extension inventory |
CSV |
Compliance evidence repository |
7 years |
| Governance policy configuration |
Screenshot/PDF |
Compliance evidence repository |
7 years |
| Graph connector review records |
PDF |
Compliance evidence repository |
7 years |
| Approval workflow documentation |
PDF |
Governance document repository |
7 years |
| Custom agent review records |
PDF |
Compliance evidence repository |
7 years |
Compliance Mapping
| Regulation |
Requirement |
How This Control Supports It |
| FINRA Rule 3110 |
Third-party technology oversight |
Extension governance supports compliance with technology oversight requirements |
| OCC Heightened Standards |
IT risk management |
Extension approval process supports compliance with IT risk management standards |
| NIST CSF |
PR.IP-1 Baseline configuration |
Extension governance establishes and maintains baseline configurations |
| NIST AI RMF |
MAP 5 — AI system components |
Extension inventory maps AI system component dependencies |