Hi there! 👋
The error code NetworkIsolationAddressNotAllowed points to a network isolation policy in the target environment that is blocking an address the agent is trying to reach. Here is a structured checklist to work through, grounded in Microsoft Learn:
1. Check if Virtual Network (VNet) support is enabled on the target environment
When Power Platform's Virtual Network support is active on an environment, all connector and agent outbound traffic routes through a delegated Azure subnet — and calls to publicly available resources will break unless those resources are reachable from within the subnet. The error you are seeing is consistent with this behaviour.
To check:
- Open Power Platform Admin Center → Environments → [Your Sandbox]
- Go to Settings → Enterprise policies and verify whether a VNet enterprise policy is linked to the environment
If VNet is enabled and your agent relies on connectors that call public endpoints, you will need to expose those endpoints via Azure Private Endpoint — or temporarily remove the VNet policy from the environment to confirm this is the cause. See Set up Virtual Network support for guidance.
2. Check Power Platform Tenant Isolation settings
Tenant isolation restricts connectors from making outbound connections to resources outside your tenant. If any connector or action in the agent calls an external service, verify those are added to the allow list under Power Platform Admin Center → Policies → Tenant Isolation.
3. Confirm all solution dependencies are properly configured in the target environment
Importing an agent across environments requires that all dependencies are correctly set up in the destination. Per the Export and import agents using solutions docs, pay specific attention to:
- Connection references — must be re-linked to active, valid connections in the target environment (connection references guide)
- Environment variables — values must be set in the target environment (they do not carry over automatically)
- DLP policies — verify the connectors your agent uses are not blocked by a data loss prevention policy specific to the Sandbox environment
4. Run VNet diagnostics (if VNet is configured)
If the environments do have VNet policies, you can use the Microsoft.PowerPlatform.EnterprisePolicies PowerShell diagnostic module to test whether the agent target addresses are reachable:
Test-NetworkConnectivity -EnvironmentId "<YourSandboxEnvironmentId>" -Destination "<TargetEndpoint>" -Port 443
📌 Most likely root cause: Since the error reproduces in both the Sandbox and a freshly-created Developer environment, it is worth checking whether both target environments are linked to the same enterprise policy that carries network isolation rules — the source Developer environment may not have that policy, which is why it worked there originally.
Found this helpful? Please mark ✅ "Does this answer your question?" so others searching for the same issue can find it quickly. A 👍 on "Was this reply helpful?" or a ♥ Like is also much appreciated!
Raghav Mishra — LinkedIn | PowerAI Labs
