Limit sharing
In Managed Environments, admins can limit how broadly users can share canvas apps, flows, and agents. To configure these rules, select a Managed Environment from the environments list in the Power Platform admin center. Then, select Edit Managed Environments in the command bar. The sharing rules are located in the Manage sharing section.
Canvas app sharing rules
Canvas app sharing rule | Description |
---|---|
Don't set limits | Select to not limit sharing canvas apps. |
Exclude sharing with security groups | Select if users aren't allowed to share canvas apps with any security groups or with everyone. |
Limit total individuals who can be shared to | If Exclude sharing with security groups is selected, you can control the maximum number of users with whom a canvas app can be shared. |
Solution-aware cloud flow sharing rules
Solution-aware cloud flow sharing rules | Description |
---|---|
Let people share solution-aware cloud flows | When selected: Users can share solution-aware cloud flows with any number of individuals or security groups. When not selected: Users can't share their cloud flows with any individual or security group. |
Agent sharing rules (preview)
[This section is prerelease documentation and is subject to change.]
Agent sharing rule | Description |
---|---|
Let people grant Editor permissions when agents are shared | When selected: Owners and editors can share with any individual as an editor. When not selected: Owners and editors can't share with an individual as an editor. This control doesn't affect the ability of owners or editors to share with viewers. |
Let people grant Viewer permissions when agents are shared | When selected: Owners and editors can share with any individual as a viewer and any security group. When not selected: Owners and editors can't share with an individual as a viewer, nor can they share with a security group. This control doesn't prevent them from sharing their copilots with individuals as editors. |
Only share with individuals (no security groups) | If this is selected, owners and editors can only share with individuals as viewers. They can't share with a security group. This control doesn't affect an owner's or editor's ability to share with individuals as editors. |
Limit number of viewers who can access each agent | If Only share with individuals (no security groups) is selected, you can control the maximum number of viewers with whom an agent can be shared with. |
Important
- This is a production-ready preview feature.
- Production-ready previews are subject to supplemental terms of use.
To learn more about Editor and Viewer permissions on agents, go to Copilot Studio security and governance.
Note
Sharing rules are enforced when users try to share an app, flow, or agent. This doesn't impact any existing users who already have access to the app, flow, or agent prior to the application of the sharing rules. However, if an app, flow, or agent is out of compliance after rules are set, only un-sharing is allowed until the app, flow, or agent is compliant with the new rules.
After sharing rules are set in the Power Platform admin center, it may take up to an hour for them to start getting enforced.
Sharing rules in Dataverse for Teams environments do not impact sharing to a Team when you select Publish to Teams. However, when a user attempts to share with individuals or groups in a Team other than the one bound to the environment, the sharing limits are enforced.
If a user tries to share a canvas app, solution-aware cloud flow, or agent that contradicts the sharing rules, they're informed as shown below.
Use PowerShell to set sharing limits
You can also use PowerShell to set and remove sharing limits.
Set sharing limits
Here's a PowerShell script that prevents canvas apps from being shared with security groups and limits the number of individuals that the canvas app can be shared with to 20.
# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>
# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'limitSharingMode' -Value "excludeSharingToSecurityGroups" -Force
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'maxLimitUserSharing' -Value "20" -Force
# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration
Here's a PowerShell script that turns off sharing for solution-aware cloud flows.
# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>
# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'solutionCloudFlows-limitSharingMode' -Value "disableSharing" -Force
# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration
Here's a PowerShell script that prevents agents from being shared with security groups and limits the number of viewers that can access an agent to 20.
# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>
# Update the Managed Environment settings
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'bot-limitSharingMode' -Value "ExcludeSharingToSecurityGroups" -Force
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'bot-maxLimitUserSharing' -Value "20" -Force
# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration
Here's a PowerShell script that turns off the ability to share your agents with individuals as Editors.
# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>
# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'bot-authoringSharingDisabled' -Value True -Force
# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration
Set 'bot-authoringSharingDisabled' to False to enable sharing with individuals as Editors.
Remove sharing limits
Here's a PowerShell script that removes the canvas app sharing limits.
# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>
# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'limitSharingMode' -Value "noLimit" -Force
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'maxLimitUserSharing' -Value "-1" -Force
# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration
To remove sharing limits for solution-aware cloud flows, run the following script.
# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>
# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'solutionCloudFlows-limitSharingMode' -Value "noLimit" -Force
# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration
To remove limits on sharing your agent with security groups or individuals as Viewers, run the following script.
# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>
# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'bot-limitSharingMode' -Value "noLimit" -Force
# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration
Surface your organization’s governance error content
If you specify governance, error message content to appear in error messages, it's included in the error message displayed to users. Learn more in PowerShell governance error message content commands.
Related content
Managed Environments overview
Enable Managed Environments
Usage insights
Data policies
Licensing
View license consumption (preview)
Tenant settings