Bug in sharing agent

(1) Share

Report

Posted on by CU05110824-0

I once shared my agent to user C, M, and IS. Then, I removed permission from user IS (picture 1). However, why does user IS still have an access to the agent (picture 2)? Please don't recommend me to delete browsing data and re-login because user IS has already done both but still can access the agent. Don't you know that this is violating the privacy and security policy?

Categories:

Bot administration

I have the same question (0)

All responses (3)

Answers (0)

Haque 1,372 on at

Like (0)

Report
Copy link

Link copied!

Hi @CU05110824-0

Yes, of course it’s violating privacy for sure! Before making any comments, in picture two it’s just showing that IS has access but really s/he can do anything based on the permission?

Let’s revisit theses items:

1. Double-check whether IS is part of any groups or roles that still have access.
2. Verify if there are shared links or indirect permissions that could be keeping access open.
3. Wait a short while and then test again, since revocations can take time.
4. If IS still has access after all checks, it may be a system bug — contacting support would be the next step.

Was this reply helpful? Yes No
CU05110824-0 44 on at

Like (1)

Report
Copy link

Link copied!

Hi @Haque

Before making any comments, in picture two it’s just showing that IS has access but really s/he can do anything based on the permission?

- what do you think? there are still edit button, add tool, add trigger, add agent, even the publish button

Let’s revisit theses items:

1. Double-check whether IS is part of any groups or roles that still have access.

- yes IS is a part of C security group but as seen in previous picture, it just has VIEWER access, so IS should only be able to do the conversation with the agent through channels
2. Verify if there are shared links or indirect permissions that could be keeping access open.

- where? I used to manage access through "share" option as seen below and it used to succeed

3. Wait a short while and then test again, since revocations can take time.

- how long? until now, user IS still has an access to the agent

Was this reply helpful? Yes No
Suggested answer

Haque 1,372 on at

Like (0)

Report
Copy link

Link copied!

Hi @CU05110824-0,

Let's go question by question.

"- what do you think? there are still edit button, add tool, add trigger, add agent, even the publish button" - I meant from admin perspective, you are seeing this but from user point of view, did you check s/he can get the access that you are seeing?

"- how long? until now, user IS still has an access to the agent"

The delay in permission removal enforcement for Dataverse and Power Platform access can sometimes extend beyond 24 hours. Microsoft does not specify an exact guaranteed timeframe - reason because there is no documentation, but in practice, it can take up to several days for all backend caches, policies, and session tokens to fully refresh and revoke access.

"- where? I used to manage access through "share" option as seen below and it used to succeed" (shared links or indirect permissions )

Check Shared Links in Power Apps or Power Automate: Go to the Power Platform Admin Center (https://admin.powerplatform.microsoft.com) --> Navigate to the environment where your agent/app is deployed -->Under "Resources," select "Apps" or "Flows" depending on what you shared --> Find your agent app or flow and check the "Share" settings --> Review the list of users and groups with access. Remove any unintended users or groups.

Review Azure AD Group Memberships: In the Azure Portal (https://portal.azure.com), go to "Azure Active Directory." --> Select "Groups" and find any groups that have access to your environment or app --> Check if user IS is a member of any of these groups --> If so, remove user IS from any groups granting access if necessary.

Check Environment Roles and Security Roles: In Power Platform Admin Center, select the environment -->Go to "Settings" > "Users + permissions" > "Users." --> Find user IS and review assigned security roles-->Remove or adjust roles that grant access to the agent or Dataverse environment.

Review Tenant and Environment Policies: Check if there are any tenant-wide or environment-level policies that grant access indirectly. These might include Managed Environments or Data Loss Prevention (DLP) policies.

Audit Logs and Access Reports: Use Microsoft 365 Compliance Center or Azure AD sign-in logs to audit user IS’s access. Look for any unusual or indirect access paths.

I understand your valid concern. To be honest, I can see your face in your writing! But - this is a community forum, contributors are just volunterring here, not managing direct support for MS. I would kindly request you to open up support ticket - based on whatever licesing you have.

Thanks and let me know if these above stuff helped someway.

Was this reply helpful? Yes No