Unanswered

Blocking the "Copilot for Microsoft 365" connector in a Power Platform DLP policy

(1) Share

Report

Posted on by CU18021232-1

I've been investigating the "Copilot for Microsoft 365" connector that appears in the Power Platform Admin Center under DLP policy, and I'm struggling to understand what blocking it actually governs. I'd appreciate any real-world experience or clarity here.

Here is what I've tested so far:

1. The official Copilot Studio DLP documentation lists specific virtual connectors (e.g. "Chat without Microsoft Entra ID authentication in Copilot Studio", "Direct Line channels in Copilot Studio", "Knowledge source with SharePoint and OneDrive in Copilot Studio") with clear, documented enforcement behavior. "Copilot for Microsoft 365" does not appear in that list.

2. I blocked "Copilot for Microsoft 365" in a DLP policy scoped to a test environment. Publishing a Copilot Studio agent to Teams and the Microsoft 365 Copilot channel was completely unaffected.

3. I created a Power Automate flow with the "When an agent calls the flow" trigger in an environment with this connector blocked. No error was raised during creation or execution.

4. There are no visible triggers or actions for this connector in Power Automate.

My questions:
- What specific maker action or runtime behavior does blocking "Copilot for Microsoft 365" in a DLP policy actually prevent?
- Is this now a legacy/deprecated connector entry with no active enforcement surface in most tenants?

Any hands-on experience or pointers to documentation that shows a concrete before/after when this connector is blocked would be really helpful. Any general guidelines on whether this should be allowed or not in the tenant?

Thanks in advance.

Categories:

General topics

I have the same question (0)

All responses (2)

Answers (0)

Sort by

André Arnaud de Cal... 563 on at

Like (0)

Report
Copy link

Link copied!

Hi,

You shared a lot of details. DLP and new Advanced connector policies are limiting connectors per environment or group of environments. When building an agent, I thought that now blocked connectors and actions are not directly accessible, but I might be wrong. I need to check the latest status.

At least at runtime the actions and connectors are blocked. When you are adding an agent to e.g. Teams, it is not aware of the contents and if there are connections to a specific environment. For that reason, you can add existing agents, but at runtime, it should block the access.

Was this reply helpful? Yes No
Nivedipa-MSFT Microsoft Employee on at

Like (0)

Report
Copy link

Link copied!
Hello CU18021232-1,
The "Copilot for Microsoft 365" connector in Power Platform DLP currently has no effect in existing tenants. It's a legacy or placeholder connector without any enforcement capability, which explains why your testing didn't impact Copilot Studio publishing, Teams/M365 Copilot channels, or agent-triggered flows. It's also not listed in the Copilot Studio DLP documentation table, as only connectors with enforced behaviors appear there.

Recommended actions:

Copilot Studio publishing/channels: Use governance settings in Power Platform admin center and manage the specific virtual DLP connectors as needed.

M365 Copilot / declarative agents: Adjust Copilot settings and use the Copilot Control System in the Microsoft 365 admin center.

Agent-triggered flows: Apply DLP policies to the actual connectors used by the flow, such as SharePoint or HTTP.

Graph/Copilot connectors: Manage these through the Copilot section in the M365 admin center.

Recommendation: Consider this connector cosmetic only. Placing it in Blocked or Business has no functional impact. Be sure to note in your DLP documentation that Copilot governance is managed elsewhere to avoid confusion for future reviewers.

Was this reply helpful? Yes No