Governance & Security Guide
A five-phase model for governing Copilot Studio agents
Microsoft divides Copilot Studio projects into five key phases. Administrators and makers can review the pertinent security and governance areas for each specific phase of the project lifecycle.
Phase 1 — Discovery & Planning
- Classify the sensitivity of all documented data sources and run a data protection & risk assessment.
- Establish Managed Environment policies and govern access to premium connectors and features.
- Allocate message capacity at the environment level using add-ons.
Phase 2 — Architecture & Design
- Maintain distinct Development, Testing, and Production environments with environment routing.
- Secure the tenant with Lockbox, Dataverse audit, IP firewall, and IP cookie binding.
- Define allowed authentication (Entra ID vs. manual / none) and apply environment-level DLP policies.
- Enable MFA for all Power Platform and Copilot users via Microsoft Entra ID.
Phase 3 — Build & Integration
- Validate the agent against DLP rules in Dev, Test, and Production.
- Create Environment Groups and configure their policies (premium feature).
- Refine tenant-wide DLP policies to align with the project architecture.
Phase 4 — Testing, Deployment & Launch
- Validate DLP & RBAC: environment policies, roles, and connections in production.
- Confirm all dependencies are configured correctly in the production environment.
- Use service principal accounts for production deployment and connector authentication.
Phase 5 — Monitoring & Optimization
- Monitor tenant, environment, and agent security via the Power Platform admin center.
- Pilot new releases in test environments before wider rollout.
- Run regular governance reviews of environment configs and DLP settings.
Key configuration settings
A quick reference for where each governance control is applied across the tenant and its environments.
| Control | Scope | Where it is configured |
|---|---|---|
| Capacity Management | Tenant / Environment-Level | Add-ons via DLP Policies or Capacity |
| Data Loss Prevention | Tenant & Environment | PPAC → DLP Policies |
| Authentication Control | Per Agent | Authentication in Copilot Studio (Entra ID) |
| Environment Isolation | Dev / Test / Prod | Managed Environments & Environment Groups |
| Tenant Hardening | Tenant | Lockbox, IP firewall, IP cookie binding, Dataverse audit |
| Network Security | Environment | Azure Private Link, firewalls, service endpoints |
| Identity & Access | Tenant | Microsoft Entra ID + MFA + RBAC roles |