Skip to content

Control 4.13: Copilot Extensibility and Agent Operations Governance — Portal Walkthrough

Step-by-step portal configuration for governing plugins, Graph connectors, and agent operations through Integrated apps and the Agent 365 control plane.

Prerequisites

  • Role: AI Administrator, Teams Admin, or another approved admin role for the surfaces being reviewed
  • License: Microsoft 365 E5 with Copilot add-on
  • Access: Microsoft 365 Admin Center, Teams Admin Center

Steps

Step 1: Review Agent Overview

Portal: Microsoft 365 Admin Center Path: Agents > Overview

  1. Review hero metrics for active users, sessions, exception rate, and runtime.
  2. Review governance action cards for pending requests or ownerless agents.
  3. Record follow-up actions in the governance register.

Step 2: Review Agent Registry and Ownership

Portal: Microsoft 365 Admin Center Path: Agents > All agents / Registry

  1. Review published, shared, blocked, and ownerless agents.
  2. Confirm each broadly available agent has an owner and approval record.
  3. Block or remove agents that do not meet policy.

Step 3: Configure Agent Settings

Portal: Microsoft 365 Admin Center Path: Agents > Settings

  1. Review allowed agent types.
  2. Review sharing controls.
  3. Review user access scope and any templates used in publication workflows.

Step 4: Configure Integrated Apps Governance

Portal: Microsoft 365 Admin Center Path: Settings > Integrated apps

  1. Navigate to the Integrated apps settings.
  2. Review the current list of deployed apps and plugins.
  3. Configure the app governance settings:
  4. User consent settings — Block user consent; require admin approval for all apps
  5. App catalog — Curate the list of approved apps available to Copilot users
  6. Third-party app access — Restrict to a pre-approved list for FSI environments
  7. Document the approved plugin catalog with business justification for each.

Step 5: Establish Plugin Approval Workflow

Portal: Microsoft 365 Admin Center Path: Settings > Integrated apps > User requests

  1. Enable the user request workflow for new app/plugin requests.
  2. Configure the approval chain:
  3. First-level: IT team reviews technical requirements and security posture
  4. Second-level: Compliance team reviews regulatory and data protection impact
  5. Third-level: Business owner confirms business justification
  6. Set SLA for approval decisions (5 business days recommended).
  7. Create a standardized Plugin Risk Assessment template.

Step 6: Configure Copilot Plugin Access Controls

Portal: Microsoft 365 Admin Center Path: Agents > Settings and Settings > Integrated apps

  1. Navigate to the Copilot plugin settings.
  2. Configure plugin availability:
  3. First-party Microsoft plugins — Enable approved plugins, disable non-essential ones
  4. Third-party plugins — Block all or allow only from the approved list
  5. Custom plugins (line-of-business) — Enable with governance controls
  6. Set plugin access by user group (not all users need all plugins).
  7. Document which plugins are approved and for which user groups.

Step 7: Configure Graph Connector Governance

Portal: Microsoft 365 Admin Center Path: Settings > Search & intelligence > Data sources

  1. Review existing Microsoft Graph connectors.
  2. Evaluate each connector for data sensitivity:
  3. What data does the connector expose to Copilot?
  4. Are there access control restrictions on the connected data?
  5. Does the connector data include regulated content?
  6. Apply sensitivity labels to Graph connector content where applicable.
  7. Document the connector inventory with data classification and access controls.

FSI Recommendations

Setting Baseline Recommended Regulated
Agent Overview review Monthly Monthly with tracked follow-up Weekly / monthly depending on risk
Agent ownership Required for published agents Required for all broad-scope agents Required with escalation for ownerless agents
User consent for plugins Allowed Admin-only consent Admin-only with compliance review
Third-party plugins / partner agents Review Pre-approved list Pre-approved with security assessment
Graph connector review Ad hoc Annual Semi-annual with data classification

Regulatory Alignment

  • FFIEC Development Booklet — Supports compliance with third-party software governance requirements
  • OCC Third-Party Risk — Helps meet vendor risk management for plugin providers
  • NYDFS 23 NYCRR 500 — Supports third-party service provider security assessment requirements

Next Steps