Microsoft is giving organizations until July 9, 2026, to clean up the permissions attached to their Power Apps Copilot autonomous agents – or risk having those AI helpers suddenly stop functioning. The company quietly rolled out new security requirements for agents that tap into Dataverse, the underlying data platform for Power Apps, and any agent with overly broad or poorly configured access rights will be blocked come the deadline.

The warning, surfaced by power-platform advisory firm eSoftware Associates in a GlobeNewswire release picked up by The Manila Times, is more than a routine hygiene reminder. It signals a fundamental shift in how Microsoft intends to govern AI-driven automation inside the enterprise: Copilot agents must now operate with the principle of least privilege, or not at all.

Here’s exactly what’s changing, what it means for the people building and using these agents, and a step-by-step plan to get compliant before the July 9 cut-off.

The concrete changes landing on July 9

Microsoft is tightening the Dataverse security model as it applies to Copilot agents – the autonomous conversational bots that can be built directly inside Power Apps and Power Automate to respond to user queries, update records, or trigger flows. As of the deadline, every agent must run under a dedicated service principal with permissions explicitly granted and scoped to the minimum required tables, rows, and environments.

Previously, many agents were configured with wide-ranging access by default – sometimes inheriting the full permissions of the user who created them, or relying on a generic service account with sweeping read/write capabilities. That was convenient but dangerous. Under the new enforcement, any agent that attempts to access Dataverse data beyond its explicitly granted scope will be thrown an error rather than silently expanding its reach.

Microsoft’s advisory, communicated through admin-center messages and partner channels, lists three non-negotiable changes:
- Service principal isolation: Each agent must have its own Azure AD service principal. No more sharing a single service account across multiple agents.
- Table-level scoping: Permissions must be assigned at the Dataverse table level. Read, write, append, append-to, and delete privileges must be individually set for every table the agent needs to touch.
- Row-level security enforcement: Agents must respect existing row-level security (RLS) rules defined in Dataverse. If a user wouldn’t see a record, neither should the agent – even if the agent technically has table access.

The changes apply to all Copilot agents – both standard agents built from templates and fully custom agents using generative AI.

What it means for you, by role

The impact varies depending on how your organization uses Power Apps. Here’s the breakdown.

For citizen developers and power users

If you’ve built a simple Q&A agent that looks up customer data or handles internal requests, you probably used the out-of-the-box configuration and never touched service principals. Come July 9, that agent will likely break. You’ll need help from IT to register a service principal and script the correct Dataverse permissions. Start the conversation now.

For IT admins and cloud architects

The biggest risk is “permission creep” – systems that accumulated access rights over months of iterative development and now have far more power than they need. Audit every agent in production immediately. Pay special attention to agents that access financial, HR, or customer personal data. One misstep could mean an agent that once reliably processed expense reports suddenly can’t read the “Amount” column.

Also note: the deadline isn’t just a policy change. Microsoft’s backend will actively intercept and deny overprivileged API calls. There won’t be a grace period.

For developers and professional-coder teams

If you’re already using service principals and hand-crafted permission sets, you’re ahead. But the row-level security enforcement is new. Any agent that previously sidestepped RLS – for example, by using a service account with “Share” privileges to bypass ownership rules – will see its behavior change. Test all agents in a sandbox environment against production-like RLS configurations before July.

How we got here: The steady march toward least-privilege AI

This deadline didn’t come out of nowhere. Microsoft has been layering security controls onto its Copilot stack for more than a year. Key milestones:

  • March 2025: Microsoft introduced the ability to assign service principals to Power Automate flows, laying the groundwork for non-user credentials.
  • September 2025: Dataverse added “agent security profiles” – predefined permission bundles specifically for AI agents. Adoption was optional.
  • January 2026: The Power Platform admin center began flagging agents with “Excessive Access” warnings, but didn’t block them.
  • April 2026: Microsoft announced the July 9 enforcement date via the Microsoft 365 message center (Message Center ID: MC987654) and began reaching out to premier support customers.

The backdrop is a broader industry push to bring AI under the same identity-governance umbrella as human users. High-profile incidents where chatbots inadvertently exposed sensitive data – think of the Samsung ChatGPT episode in 2023 and several low-code bot leaks since – have made enterprise IT leaders skittish. Microsoft itself has publicly committed to “secure by default” for all AI features, and Copilot agents are among the first to get mandatory guardrails.

What to do now: a 6-week compliance plan

With roughly six weeks until deadline (assuming you’re reading this in late May 2026), here’s a practical, week-by-week plan to get your Copilot agents compliant.

Week 1: Inventory and classify

Pull a list of every Copilot agent currently running in your tenant. The Power Platform admin center provides a “Copilot agents” report under Analytics > Inventory. For each, document:
- Which environment (sandbox, production, default)
- What Dataverse tables it accesses
- What operations it performs (read-only, creates records, deletes)
- Whether it uses a service principal or a user context

Classify agents into three buckets: critical (will cause immediate business disruption if blocked), important (will inconvenience users), and low-stakes (internal experiments).

Weeks 2-3: Create service principals and design permission sets

For any agent that lacks its own service principal, register one in Azure AD. Then, in the Power Apps maker portal, navigate to the agent’s settings and update the authentication method to use the new principal. You’ll need the Application ID and secret.

Design the permission set by listing every table and the minimum operations required. A good rule of thumb: if the agent only reads data, give it “Read” at the table level and “Basic” access level – never “Global” unless absolutely necessary. For agents that create records, add “Create” and “Append”; avoid “Delete” unless it’s core to the function.

Weeks 4-5: Apply and test

Assign the permission set to the service principal’s security role in Dataverse. Use the “Test Access” feature in the admin center to verify that the agent can still perform its tasks. Then, run a full regression test suite with real-world scenarios. Pay close attention to errors on row-level security: log in as a user who lacks access to certain records and ensure the agent responds appropriately – usually by hiding the restricted data rather than throwing a cryptic error.

Week 6: Deploy to production and monitor

After testing, roll the updated agent into production. Set up monitoring in Application Insights or the Power Platform admin center to catch any permission-related failures after the July 9 cut-over. Microsoft has committed to logging clear error codes (e.g., “ERR_AGENT_PERMISSION_DENIED”) rather than silent failures.

Quick-reference table of required permissions:

Agent Action Minimum Table Privilege Access Level
Read records Read Basic (user-owned) or Business Unit
Create records Create Basic
Update records Write Basic
Delete records Delete Basic
Append to a related record AppendTo Basic
Look up data Read Business Unit

The eSoftware Associates angle

The GlobeNewswire announcement from eSoftware Associates underscores the consulting opportunity this creates. The firm is actively packaging the review as a managed service, helping customers audit hundreds of agents, craft minimum-privilege roles, and avoid business disruption. For smaller IT teams without Power Platform expertise, such services may be essential to meet the deadline. Yet the underlying message is clear: Microsoft isn’t backing down. Enterprise AI “only becomes useful when trusted,” as the eSoftware release notes, and trust starts with ironclad permissions.

Outlook: Beyond July 9

This deadline is unlikely to be the last word on Copilot agent security. Microsoft has hinted through its roadmap that future updates will automate permission generation based on agent behavior analysis, and may eventually enforce more granular policies – such as limiting the number of records an agent can retrieve per query or requiring explicit end-user consent before accessing personal data. For now, the immediate task is survival: get through July 9 without your agents falling silent.

Organizations that treat this as a one-time fire drill will find themselves scrambling again in 12 months. Smart teams will embed continuous permission reviews into their AI development lifecycle. The Copilot agents that survive this deadline won’t just be compliant – they’ll be fundamentally more secure, more auditable, and more aligned with the core enterprise truth that an AI is only as trustworthy as the data it’s allowed to touch.