Configure data loss prevention for copilots
Important
Power Virtual Agents capabilities and features are now part of Microsoft Copilot Studio following significant investments in generative AI and enhanced integrations across Microsoft Copilot.
Some articles and screenshots may refer to Power Virtual Agents while we update documentation and training content.
Organizational data is the most important asset administrators are responsible for safeguarding. The ability to build automation to use that data is a large part of their company's success.
You can rapidly build and roll out your high-value copilots for your end users. You can connect your copilots with many data sources and services. Some of these sources and services might be external, third-party services, and might even include social networks.
It is easy to overlook the potential for exposure. This sort of exposure can result from data leakage or connections to services and audiences that shouldn't have access to the data.
Administrators can govern copilots in your organization using data loss prevention (DLP) policies with existing and Copilot Studio connectors. DLP policies are created in the Power Platform admin center. To create a DLP policy, you need to be a tenant admin or have the Environment Admin role.
Prerequisites
- Review concepts about DLP policies
Copilot Studio connectors
Copilot Studio connectors can be classified within a DLP policy under the following data groups, which are presented in the Power Platform admin center when reviewing DLP policies:
- Business
- Non-business
- Blocked
You can use the connectors in DLP policies to protect your organization's data from any malicious or unintentional data exfiltration by your copilot makers.
Important
By default, DLP enforcement for copilots is disabled in all tenants. Learn about enabling enforcement.
The connectors need to be in a single data group as data can't be shared among connectors that are in different groups.
The following Copilot Studio connectors are available in the Power Platform admin center.
| Connector name | Description |
|---|---|
| Chat without Microsoft Entra ID authentication in Copilot Studio | Block copilot makers from publishing copilots that aren't configured for authentication. Copilot users will require authentication to chat with the copilot. See Example: Require end-user authentication for copilots for more details. |
| Direct Line channels in Copilot Studio | Block any Direct Line channel. For example, the Demo website, Custom website, and Mobile app channels would be blocked. |
| Facebook channel in Copilot Studio | Block copilot makers from enabling or using the Facebook channel. |
| Microsoft Teams channel in Copilot Studio | Block copilot makers from enabling or using the Teams channel. |
| Omnichannel in Copilot Studio | Block copilot makers from enabling or using the Omnichannel channel. |
| Skills with Copilot Studio | Block copilot makers from using skills in Copilot Studio copilots. See Example: Use DLP to block skills in Copilot Studio copilots and Example: Use DLP to block HTTP requests from Copilot Studio copilots for more details. |
Example DLP policy configurations
To help you get started with Copilot Studio copilot governance, we created the following examples that detail different scenarios:
- Example: Use DLP to require end-user authentication for Copilot Studio copilots
- Example: Use DLP to block Power Platform Connectors
- Example: Use DLP to block HTTP requests from Copilot Studio copilots
- Example: Use DLP to block skills in Copilot Studio copilots
Use PowerShell to enable and administer DLP enforcement for copilots in your organization
You can configure whether DLP policies should be applied to your copilots with the PowerAppDlpErrorSettings and PowerVirtualAgentsDlpEnforcement PowerShell cmdlets.
You can:
- Confirm if DLP is enabled for copilots in your tenant.
- Enable or disable DLP in an auditing mode (
-Mode SoftEnabled) so copilot makers can see errors, but aren't prevented from performing actions that would be blocked if DLP enforcement was fully enabled. - Enable or disable DLP enforcement, which will show DLP enforcement errors, and prevent copilot makers from publishing DLP-affected bots or configuring DLP-related settings.
- Exempt specific copilots from DLP enforcement.
- Add and update the learn-more and contact email links that are shown to copilot makers when they encounter DLP in the Copilot Studio web and Teams apps.
Important
Before using the PowerShell cmdlets, or the example scripts shown here, ensure you install the following modules using PowerShell.
- Microsoft.PowerApps.Administration.PowerShell
- Microsoft.PowerApps.PowerShell -AllowClobber
You need to be a tenant admin to use the cmdlets.
Typically, you would use these cmdlets in accordance with a DLP rollout process, which might consist of the following steps, in order:
Add or update the learn-more and admin contact email links that are shown in DLP errors for copilot makers.
Determine which (if any) copilots currently have DLP policy enforcement enabled.
Use auditing or "soft" mode so makers can see DLP errors in the Copilot Studio web and Teams apps.
Mitigate risk by contacting makers and informing them about the best course of action for their app or flow.
Enable DLP enforcement for copilots to prevent DLP-affected tasks and features.
You may also decide to exempt one or more copilots from DLP policy enforcement, depending on the copilot's use case and requirements.
Add and update the learn-more and admin contact email links
You can configure an email and learn-more link using the Set-PowerAppDlpErrorSettings PowerShell cmdlet. Your copilot makers will see this information when they experience DLP errors.
To add the email and learn-more link for the first time, run the following PowerShell script, replacing the values for the <email>, <URL>, and <tenant ID> parameters with your own.
$ContactDetails = [pscustomobject] @{
Enabled=$true
Email="<email>"
}
$ErrorMessageDetails = [pscustomobject] @{
Enabled=$true
Url="<URL>"
}
$ErrorSettingsObj = [pscustomobject] @{
ErrorMessageDetails=$ErrorMessageDetails
ContactDetails=$ContactDetails
}
New-PowerAppDlpErrorSettings -TenantId "<tenant ID>" -ErrorSettings $ErrorSettingsObj
To update an existing configuration, use the same PowerShell script, and replace New-PowerAppDlpErrorSettings with Set-PowerAppDlpErrorSettings.
Caution
These settings apply to all Power Platform apps within the specified tenant.
Enable and configure DLP enforcement for copilots
You can enable, disable, configure, and audit DLP enforcement within Copilot Studio with the PowerVirtualAgentsDlpEnforcement cmdlet.
In any of the following examples, replace (or declare) <tenant ID> with your tenant's ID.
You can scope to copilots created after a certain date by replacing <date> with a date in the format MM-DD-YYYY. To remove the scope, delete the -OnlyForBotsCreatedAfter parameter and its value.
Confirm DLP enforcement for copilots
By default, DLP enforcement for copilots is disabled in all tenants.
You can run the following PowerShell cmdlet to check if DLP for Copilot Studio is enabled for a tenant.
Get-PowerVirtualAgentsDlpEnforcement -TenantId <tenant ID>
Note
If you haven't configured Copilot Studio DLP, the results from the cmdlet will be empty.
Use auditing or "soft" mode to see DLP errors in the Copilot Studio web or Teams apps
Run the following PowerShell script to enable DLP policies in auditing mode. Copilot makers will see DLP-related errors when configuring copilots in the Copilot Studio web and Teams apps, but they won't be blocked from performing DLP-related actions. They can also publish copilots as usual.
Set-PowerVirtualAgentsDlpEnforcement -TenantId <tenant ID> -Mode SoftEnabled
To find copilots that could be impacted by your organization's existing DLP policies, you can:
Use the Center of Excellence (CoE) Starter Kit to get a list of copilots in your organization. Go to the Copilot Studio overview page on the CoE Dashboard to see the copilots and environment names in your organization.
Run a campaign with the copilot makers in your organization to address DLP errors or updated DLP policies. You can download all DLP errors thrown by a copilot by selecting Download details on the error notification banner in Copilot Studio.
Enable DLP enforcement for copilots
Important
Before enabling DLP enforcement, ensure you know which copilots will show errors to your copilot users due to DLP policy violations.
If you run into issues, you can exempt a copilot from DLP policies or disable DLP enforcement while your makers fix the copilot to comply with DLP policies.
You can run the following PowerShell command to enforce DLP policies in Copilot Studio. Copilot makers will be blocked or prevented from performing DLP-affected actions, and end users will see errors if they try to interact with the DLP-impacted features in a copilot.
Set-PowerVirtualAgentsDlpEnforcement -TenantId <tenant ID> -Mode Enabled -OnlyForBotsCreatedAfter <date>
Exempt a bot from DLP policies
If you've enabled DLP enforcement for your tenant but you need to exempt a copilot from showing DLP errors to makers and end-users, you can run the following PowerShell script.
Make sure to replace <environment ID>, <bot ID>, <tenant ID>, and <policy ID> with the appropriate IDs for the copilot you want to exempt.
Tip
You can find the <environment ID> and <bot ID> from the copilot's URL.
The <policy ID> is listed alongside the error details in the Download details file. You can download that file by selecting Download details on the error notification banner in Copilot Studio.
$environmentId = "<environment ID>"
$botId = "<bot ID>";
$tenantId = "<tenant ID>"
$policyName = "<policy ID>"
# Ensure the DLP commands are installed
if (-not (Get-Command "Get-PowerAppDlpPolicyExemptResources" -ErrorAction SilentlyContinue))
{
Write-Host "Please ensure the Power Apps DLP commands are available: https://docs.microsoft.com/power-platform/admin/powerapps-powershell#environments-commands" -ForegroundColor Red
return;
}
# Set up the PVA resource information
$pvaResourceId = "$environmentId+$botId"
$pvaResourceType = "Bot"
$exemptBot = [pscustomobject]@{
id = $pvaResourceId
type = $pvaResourceType
}
Write-Host "Getting exempt resources"
$resources = Get-PowerAppDlpPolicyExemptResources -TenantId $tenantId -PolicyName $policyName
if (-not $resources)
{
$resources = [pscustomobject]@{ exemptResources = @($exemptBot) }
Write-Host "No exempt resources configured yet"
}
$resources = New-PowerAppDlpPolicyExemptResources -TenantId $tenantId -PolicyName $policyName -NewDlpPolicyExemptResources $resources
Write-Host "Added bot to exempt resources"
Disable DLP enforcement for copilots
The following command will disable DLP enforcement in copilots.
Set-PowerVirtualAgentsDlpEnforcement -TenantId <tenant ID> -Mode Disabled
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for