Data loss prevention example - Require end-user authentication in copilots

Important

Power Virtual Agents capabilities and features are now part of Microsoft Copilot Studio following significant investments in generative AI and enhanced integrations across Microsoft Copilot.

Some articles and screenshots may refer to Power Virtual Agents while we update documentation and training content.

When you create a new copilot the Authenticate with Microsoft authentication option is turned on by default. The copilot automatically uses Microsoft Entra ID authentication for Authenticate with Microsoft without requiring any manual setup and only lets you chat with your copilot on Teams. However, copilot makers in your organization can select the No authentication authentication option to allow anyone with the link to chat with your copilot.

You can use data loss prevention (DLP) policies to block your copilot makers from configuring and publishing copilots that aren't configured for authentication to help prevent data exfiltration.

Copilot makers will need to configure end-user authentication with Authenticate with Microsoft or Authenticate manually in Microsoft Copilot Studio if you use this connector in an enforced DLP policy.

See the Configure data loss prevention for Microsoft Copilot Studio copilots topic for information about other DLP-related connectors.

Configure DLP to require authentication in the Power Platform admin center

Select or create a policy

1. In the Power Platform admin center, under Policies, select Data policies.

2. Create a new policy, or choose an existing policy to edit:

   1. If you want to create a new policy, select New policy.

   2. If you want to choose an existing policy to edit, select the policy and select Edit policy.

3. Enter a name for the policy then select Next. You can change the name later.

Choose an environment

1. Choose one or more environments to add to your policy.

2. Select + Add to policy.

3. Select Next.

Add the connector

1. Use the search box to find the Chat without Microsoft Entra ID authentication in Microsoft Copilot Studio connector.

   

2. Select the connector's More actions menu (⋮), and then select Block.

   

3. Select Next.

4. If you're a tenant admin, or an environment admin for multiple environments, you'll see the Scope step. Choose one or more environments that your DLP policy will apply to.

   

   Note

   If the policy has a tenant scope, DLP policy will apply to all copilots.

5. Review your policy, then select Update policy to apply the DLP changes.

   

Confirm policy enforcement in Microsoft Copilot Studio

You can confirm that this connector is being used in the DLP policy from the Microsoft Copilot Studio web app.

First, open your copilot from the environment where the DLP policy is applied.

If the policy is enforced, you'll see an error banner with a Details button. On the Channels page, expand error link and select the Download button to see details.

In the details file, a row will appear describing the violation.

A copilot makers can contact their admins with the DLP download spreadsheet details to make appropiate updates to the DLP policy. Alternatively, the copilot maker can update the copilot authentication to Authenticate with Microsoft or Authenticate manually (Azure Active Directory or Azure Active Directory v2) in the Authentication configuration page. See Configure user authentication in Microsoft Copilot Studio.

Authentication options that do not use Microsoft Entra ID authentication will not be selectable.