Microsoft 365 Copilot represents a leap forward in AI-powered assistance, designed to streamline workflows and enhance productivity. However, as with any robust system, ensuring data protection, governance, and monitoring are paramount.

The types of agents available within Microsoft Copilot range from task-specific agents that automate repetitive actions to conversational agents that assist with customer service inquiries. With such a wide range of agent capabilities, how do organizations balance security and governance concerns with the desire to bring great innovation and meet the demands of their makers and agent creators?

This guide explores the key aspects of securing and managing agents built with Microsoft Copilot Studio, Copilot Studio agent builder, and SharePoint agents, from data protection practices to governance at scale, visibility, and monitoring.

Data Protection

Data protection is a cornerstone of Microsoft Copilot, ensuring that sensitive information remains secure and compliant with organizational policies. Here are the primary components:

Encryption and Isolation

All data managed by Microsoft Copilot is encrypted both in transit and at rest, ensuring robust protection against unauthorized access. Data isolation mechanisms further safeguard sensitive information by preventing cross-tenant data leakage.

Persistent Label Inheritance and DLP Policies

Agents use persistent label inheritance, meaning any new content generated inherits the sensitivity labels from the source content. This ensures that data loss prevention (DLP) policies are consistently applied, reducing the risk of data breaches.

Conditional Access and Endpoint Management

To enhance security, organizations can leverage risk-based conditional access and endpoint management. This allows administrators to set policies that control access based on user risk levels and device compliance, ensuring that only authorized users can access sensitive data.

Governance at Scale

Effective governance ensures that agents are used responsibly and in alignment with organizational policies. Here’s how to manage governance at scale:

Agent Administration

Microsoft Copilot provides administration through the Microsoft 365 Admin Center and Power Platform Admin Center. This allows for streamlined management of permissions, policies, and compliance settings across the organization.

Connector Management Policies

When building agents with Microsoft Copilot Studio, makers can choose from 1500+ connectors offered by Power Platform or build custom connectors by calling REST APIs to enrich the data used with their agents. Administrators can create and enforce connector management policies to govern data flows across those connectors and services. These policies help prevent data leakage and ensure that sensitive information is adequately protected.

Visibility and Monitoring

Visibility and monitoring are critical for maintaining the security and efficiency of agent deployments. Here are the key strategies:

Agent Inventory

Agents built with Agent Builder can be viewed in the Microsoft 365 admin center, where admins can view and search the inventory of shared agents in their tenant and block the sharing of agents. To view the usage of agents built by your organization using Microsoft Copilot Studio, Agent Builder, and Teams Toolkit, visit the Usage report in the Microsoft 365 admin center. Learn more at aka.ms/MACAgentReport.

Currently in public preview, admins who need to view their custom agents built in Microsoft Copilot Studio can view agent inventory in the Power Platform admin center, on the Manage page and inventory section.

Data Security Posture Management (DSPM) for AI

DSPM for AI provides insights for IT and security teams to proactively discover data risks, such as data in user prompts, and receive recommended actions and insights for quick responses. This tool helps administrators identify potential security vulnerabilities and take proactive measures to mitigate them.

Agent Data Security and Compliance

Agents built with Copilot Studio, Copilot Studio agent builder, and SharePoint agents include comprehensive activity logging and auditing capabilities. Administrators can have clear visibility into user interactions, detect anomalies, and risky AI usage. Additionally, administrators can ensure compliance with organizational policies and can govern user prompts and agent responses with audit, eDiscovery, retention policies, and non-compliant usage detection.

Copilot Dashboard and Analytics

The Copilot Dashboard offers real-time analytics on usage, performance, and security. This visibility enables organizations to make informed decisions, optimize operations, and ensure compliance with regulatory requirements.

Setting Up Pay-As-You-Go and Azure Metering for Consumption Planning

Administrators have the option to choose between pre-paid user licenses or metered billing based on actual usage. This flexibility allows customers to gradually increase adoption while effectively managing costs. Additionally, we are committed to enhancing cost management capabilities to facilitate easier management at scale. Future enhancements will include functionalities such as the ability to charge back expenses to specific business units and set expenditure caps.

Effective consumption planning is essential for managing costs and ensuring optimal resource utilization.

Bring Agents into Your Organization Securely

Ensuring robust security and governance for Microsoft Copilot and its agents is critical for maintaining data integrity, compliance, and efficiency. By implementing comprehensive data protection measures, centralized governance, and advanced monitoring, organizations can leverage the full potential of Microsoft Copilot while safeguarding their data. Additionally, setting up pay-as-you-go and Azure metering helps manage costs and optimize resource usage, ensuring a sustainable and scalable deployment.

The post Enable Robust Security and Governance for Agents in Microsoft 365 Copilot appeared first on Microsoft Power Platform Blog.

Why This Change? 

Managed environments empowers customers with critical tools for comprehensive governance, advanced security, and streamlined operations management to enhance oversight across the entire platform. Managed environments capabilities remain a benefit of existing premium licenses, and any environment with managed features requires the users of any of the assets in that environment to have a premium license. However, there’s been some confusion in the past about whether apps and flows with standard features in a managed environment require the same user to have both a Power Apps and Power Automate license to be compliant. It is not our intention to “double charge” for these features, so we’re updating the Power Platform licensing guide to clarify that as long as all active users are appropriately licensed with at least one premium license, managed environments features will work, and customers will be compliant. 

With these updates, we’re taking steps to remove a key hurdle and offer a licensing model that better aligns with the way you use the Power Platform every day. 

What’s Changing? 

We will be updating the Power Platform licensing guide to clarify that as long as all active users are appropriately licensed with at least one premium license, a Power Apps Premium or a Power Automate Premium, managed environments features will work, and customers will be compliant.  

Customers with Power Apps Premium or Power Automate Premium user licenses are eligible to use managed environments capabilities to govern all the apps and flows in the environment. This enables your organization to strengthen governance and security using the full capabilities of managed environments. For example, if your organization assigns premium Power Apps (or premium Power Automate) licenses to all active employees, managed environments can be activated across all environments organization wide including the Default environment. (See FAQ section for more information) 

These updates are designed for Power Platform’s user-based licenses, such as Power Apps Premium and Power Automate Premium. Capacity-based licenses (e.g., Power Automate Process, Copilot Studio messages, or Dataverse capacity) remain excluded from this change to ensure the premium experience remains consistent and valuable.  

No Change for Premium Assets

Premium flows and apps will continue to require dedicated premium licenses, regardless of the environment they’re in. This ensures stability in customer expectations and budgeting.

How Does This Benefit You? 

This streamlined licensing model opens managed environments for even more users, helping organizations adopt critical governance and security features without requiring additional licenses. Here’s how: 

• Enhanced Control and Security 
  Managed environments allow you to apply advanced data policies, create safe environments, and manage resources effectively across departments. With simplified access, it’s now easier to keep your data and workflows secure. 
• Reduced Complexity 
  By aligning managed environments capabilities directly with existing Power Platform Premium licenses, you’ll save on the time and cost of navigating additional license requirements for critical governance features. 
• Greater Flexibility for Growing Organizations 
  For organizations expanding their use of Power Platform across teams, these changes mean more seamless scaling without increased licensing costs for essential governance features. 

What’s Next? 

Our goal with this update is to make managed environment capabilities accessible to a broader range of customers. This licensing change is a direct response to customer feedback, and we’ll continue to evaluate ways to improve managed environments and Power Platform governance in response to your evolving needs. 

Stay tuned for more details during Microsoft Ignite on November 19th and be sure to reach out to your Microsoft account representative if you have any questions on how this update can benefit your organization.

FAQ

Q: How do the changes to the managed environment licensing model impact my existing Power Apps and Power Automate licenses? 

A: These changes allow customers to assign their existing premium Licenses more easily and consume them fully, before they need to acquire more licenses. 

Q: Do all users in a managed Environment need a premium license even if they are not directly interacting with flows or apps? 

A: No, this doesn’t change, only active users in managed environments that are generating activity by launching an app or running a flow are required to have a premium license assigned. 

Q: What is the expected license behavior if a user is assigned a Power Apps Premium and Power Automate Premium while running basic on in-context Flows only? 

A: If a user is assigned both a Power Apps Premium and Power Automate Premium but only running basic or in-context flows, the Power Apps premium covers this activity, the Power Automate premium provides additional flexibility for any premium flows. 

Q: What types of activities are considered basic flows in managed environments, and how are they covered under this new model? 

A: All Standard Standalone flows hosted in managed environment that got created via the Power Automate Studio or outside of the studio (via SPO, Teams, Outlook…) are basic flows in managed environment that can be run if the user has a Power Apps Premium license, or a Power Automate Premium license.  

Q: Flow using SQL in an environment used by a user with a Power Apps Premium; Does the user need an Automate Premium License? 

A: Yes, they need a Power Automate License. When the flow is not running in the context of a Power App and is using a premium connector like SQL, then a Power Automate Premium license is required. The Power Apps Premium licenses does not cover standalone cloud flows with premium connectors unless the flow is directly associated with or triggered by the Power App. 

Q: Desktop flow in managed environment with desktop DLP used by a user with a Power Apps Premium. Does the user need an Automate Premium License? 

A: Yes, they need a Power Automate Premium License. Desktop Flows (RPA) require a Power Automate Premium License, regardless of the user’s Power Apps license. The Power Apps Premium license does not cover desktop automation or RPA scenarios. 

Q: User with a Power Automate Premium License that starts to use a premium Power App; 
Do they need a Power Apps Premium license? 

A: Yes, they need Power Apps license. A Power Automate Premium license does not include access to Premium Power Apps. To use Apps in managed environment or to use premium Power Apps (Apps with Dataverse or premium connectors), the user must also have a Power Apps Premium license. 
Note: If the user was assigned the premium Power Automate licenses just to use basic flows in a managed environment (vs. for the use of RPA or premium flows), admins can remove that assignment once the Power App Premium is assigned. 

Q: A user with a Power App Premium license creates a new standalone flow via Power Automate studio and the flow only uses standard connectors (SharePoint, Outlook…).  
Does the user need a Power Automate Premium? 

A: No, Power Automate is not required. Standard flows do not require an additional premium license, so the user can run the flow in a managed environment using their existing Power Apps Premium license. 

Q: A user sets up an independent flow in an environment that integrates with Dataverse as part of a data management process and not triggered by any Power App. Does the user need a Power Automate Premium License? 

A: Yes, a Power Automate Premium license is required.  Since the flow uses Dataverse, which is a premium connector, the user needs a Power Automate Premium license to use this flow when it is not in the context of a Power App. 

Q: A user with a Power Apps Premium license creates a flow using AI Builder (e.g., extracting text from documents) within an environment. Does the user need a Power Automate Premium license? 

A: Yes, a Power Automate Premium license is required. The use of AI Builder is considered a premium feature within Power Automate, so even though the user has Power Apps Premium license, they must also have a Power Automate Premium license to run flows with AI Builder capabilities. 

Q: A flow using a premium connector is shared with a team of 10 members. The flow runs within a managed environment, and all users need access to edit or trigger the flow. Some users have Power Apps Premium licenses, while others have Power Automate Premium licenses. What is required? 

A: All users who need to interact with or trigger the flow must have Power Automate Premium license. Power Apps Premium licenses do not cover editing or running a standalone flow with a premium connector outside the context of an app. 

The post Announcing exciting updates to managed environments licensing appeared first on Microsoft Power Platform Blog.