Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
On January 6, 2025, we published a Message Center announcement (Message ID MC973179) to Power Platform customers regarding updates to Data Loss Prevention (DLP) policy enforcement in Copilot Studio. The announcement outlines a transition from the current opt-in enforcement process to a phased approach where the default enforcement level will move from "Disabled" to "Enabled" by March 2025, ensuring all bots comply with tenant-defined DLP policies.
It is critical to take proactive steps to align your DLP policies with your production workloads to avoid potential disruptions. Misaligned configurations, such as DLP policies blocking new connectors by default, could result in production outages. For example, essential features like Direct Line or unauthenticated agent deployments on websites may be unexpectedly blocked.
This document provides guidance to help you review and adjust your DLP policies to ensure seamless operations while maintaining compliance with organizational standards.
Symptoms
DLP policy violations can affect your agents in multiple ways, and present error messages when they occur. In the following example, DLP policy changes are specifically mentioned as the reason why publishing failed:
In this example, the error messages say:
- Draft agent status: You have errors in your draft that will prevent publishing. Due to a recent data loss prevention policy change, some issues are preventing your agent from working correctly.
Download the file to review the error details and contact your admin.
You need to configure at least one channel (for example, Teams) due to recent DLP policy changes. Contact your admin with questions. - Published agent status: You have errors in your published agent. Due to a recent data loss prevention policy change, some issues are preventing your agent from working correctly.
Download the file to review the error details and contact your admin.
You need to configure at least one channel (for example, Teams) due to recent DLP policy changes. Contact your admin with questions.
DLP policy violations for agent makers in Copilot Studio
If the agent is violating a DLP policy for the environment, makers will see a warning notification in Copilot Studio that says, "1 error is preventing your agent from being published. 1 error may be preventing your agent from working as intended."
DLP policy violations when trying to publish
If you try to publish an agent that violates a DLP policy, an error message is displayed, "We failed to publish your agent. Try publishing again later. Validation for the bot failed."
Select Show raw to get detailed error information in JSON format, including the violation type and a description of the error. In this example, the JSON contains values for the following keys:
errorDescription: At least one connector here has been blocked by your admin$kind: DlpViolationErrorviolationType: BlockedConnector
DLP policy violations for end users of the agent
If your published agent is impacted by DLP policy enforcement and is in violation of your DLP policies, end users of the agent will see a DataLossPreventionViolation error when trying to interact with it.
The message says "Sorry, something unexpected happened. We're looking into it. Error code: DataLossPreventionViolation." and includes the conversation ID and time of the error.
End users should contact their admin to resolve the issue. The admin can check the DLP policy violations and update the policies or the agent configuration as needed.
Reason
Microsoft Copilot Studio DLP enablement has been soft enabled for all customers over the course of January and February 2025. With this change, makers see DLP-related errors when publishing or managing agents that violate existing DLP policies without immediately blocking their actions for agents that are already published.
With these changes, DLP policy exemption is no longer supported, and agents can't be exempted. The ability to exempt agents with a PowerShell command won't work.
Agents that were exempted from DLP policy enforcement had their enforcement set to Soft-enabled in January and February of 2025, and set to Enabled in February and March of 2025.
Mitigation
Makers need to work with admins to check the publish status of all agents deployed in production to identify any potential issues caused by DLP violations. Using the insights from the publish errors and downloadable reports in the Channels tab, admins can adjust their DLP policies to align with their production workloads.
Identify agents in violation of a DLP policy
From the Channels tab in Copilot Studio, you can immediately see warnings if your agent is in violation of DLP policies.
You can also select the Details link in the error notification to get more information about a violation. The Channels tab automatically opens and summarizes the DLP policy violations preventing new publication for an unpublished (or "draft") agent, or that are causing errors for a published agent.
Select Download to retrieve an Excel workbook that contains detailed information about the DLP policy violations. The workbook includes a summary of the errors, including the specific DLP policy name, ID, and the blocked connector causing the issue.
There are two worksheets in the Excel file:
- DLP violations, containing details for the DLP policy violations for that agent.
- Blocked channels, containing a list of the channels that are currently blocked by DLP policies for the agent.
The DLP violations sheet provides the name of the agent (as Copilot name) and its environment, followed by a table with the following columns:
| Column | Description |
|---|---|
| Content | The publication status of the agent |
| Topic name | Name of the topic that triggered the violation, if applicable |
| Subcomponent | Category of the activity |
| Subcomponent type | Category for the DLP surface area |
| DLP policy name | The name of the policy (defined by the admin when the policy was created) |
| Policy id | GUID for the policy |
| DLP error type | The outcome of the policy (for example, Connector blocked) |
| Connector (data group) | Name of the connector that triggered the violation |
The Blocked channels sheet includes the name of the agent (as Copilot name), along with the environment name. It's followed by a table with the following columns:
| Column | Description |
|---|---|
| Channel name | The name of the channel where the agent was blocked by a DLP policy violation |
| DLP policy name | The name of the policy (defined by the admin when the policy was created) |
| Policy id | GUID for the policy |
Important
If all channels for the agent are blocked by DLP policies, you can't publish your agent.
Identify users with sufficient permissions to update DLP policies
After identifying DLP policies that may need to be updated, you'll need an admin to update Data Loss Prevention (DLP) policies in the Power Platform Admin Center.
See Configure data loss prevention policies for agents for more details and examples of using DLP policies in Copilot Studio.
When an agent is in violation of a DLP policy, makers need to determine what policies are impacting them. DLP policies can be defined at the tenant level (to impact all environments in a tenant) or for one or more specific environments.
Tenant-wide DLP policies require tenant-level administrator. Environment-specific DLP policies can be configurable by users with a less permissive role in the environment.