Limit sharing

In Managed Environments, admins can limit how broadly users can share canvas apps, flows, and agents. To configure these rules, select a Managed Environment from the environments list in the Power Platform admin center. Then, select Edit Managed Environments in the command bar. The sharing rules are located in the Manage sharing section.

Screenshot of an Edit Environment Management settings screen, with Limit sharing highlighted.

Canvas app sharing rules

Canvas app sharing rule Description
Don't set limits Select to not limit sharing canvas apps.
Exclude sharing with security groups Select if users aren't allowed to share canvas apps with any security groups or with everyone.
Limit total individuals who can be shared to If Exclude sharing with security groups is selected, you can control the maximum number of users with whom a canvas app can be shared.

Solution-aware cloud flow sharing rules

Solution-aware cloud flow sharing rules Description
Let people share solution-aware cloud flows When selected: Users can share solution-aware cloud flows with any number of individuals or security groups.

When not selected: Users can't share their cloud flows with any individual or security group.

Agent sharing rules (preview)

[This section is prerelease documentation and is subject to change.]

Agent sharing rule Description
Let people grant Editor permissions when agents are shared When selected: Owners and editors can share with any individual as an editor.

When not selected: Owners and editors can't share with an individual as an editor. This control doesn't affect the ability of owners or editors to share with viewers.
Let people grant Viewer permissions when agents are shared When selected: Owners and editors can share with any individual as a viewer and any security group.

When not selected: Owners and editors can't share with an individual as a viewer, nor can they share with a security group. This control doesn't prevent them from sharing their copilots with individuals as editors.
Only share with individuals (no security groups) If this is selected, owners and editors can only share with individuals as viewers. They can't share with a security group. This control doesn't affect an owner's or editor's ability to share with individuals as editors.
Limit number of viewers who can access each agent If Only share with individuals (no security groups) is selected, you can control the maximum number of viewers with whom an agent can be shared with.

Important

To learn more about Editor and Viewer permissions on agents, go to Copilot Studio security and governance.

Note

Sharing rules are enforced when users try to share an app, flow, or agent. This doesn't impact any existing users who already have access to the app, flow, or agent prior to the application of the sharing rules. However, if an app, flow, or agent is out of compliance after rules are set, only un-sharing is allowed until the app, flow, or agent is compliant with the new rules.

After sharing rules are set in the Power Platform admin center, it may take up to an hour for them to start getting enforced.

Sharing rules in Dataverse for Teams environments do not impact sharing to a Team when you select Publish to Teams. However, when a user attempts to share with individuals or groups in a Team other than the one bound to the environment, the sharing limits are enforced.

If a user tries to share a canvas app, solution-aware cloud flow, or agent that contradicts the sharing rules, they're informed as shown below.

If a user tries to share a canvas app, solution-aware cloud flow, or agent that contradicts the sharing rules, an error message is displayed.

Use PowerShell to set sharing limits

You can also use PowerShell to set and remove sharing limits.

Set sharing limits

Here's a PowerShell script that prevents canvas apps from being shared with security groups and limits the number of individuals that the canvas app can be shared with to 20.

# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>

# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'limitSharingMode' -Value "excludeSharingToSecurityGroups" -Force
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'maxLimitUserSharing' -Value "20" -Force

# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration

Here's a PowerShell script that turns off sharing for solution-aware cloud flows.

# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>

# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'solutionCloudFlows-limitSharingMode' -Value "disableSharing" -Force

# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration

Here's a PowerShell script that prevents agents from being shared with security groups and limits the number of viewers that can access an agent to 20.

# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>

# Update the Managed Environment settings
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'bot-limitSharingMode' -Value "ExcludeSharingToSecurityGroups" -Force
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'bot-maxLimitUserSharing' -Value "20" -Force

# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration

Here's a PowerShell script that turns off the ability to share your agents with individuals as Editors.

# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>

# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'bot-authoringSharingDisabled' -Value True -Force

# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration

Set 'bot-authoringSharingDisabled' to False to enable sharing with individuals as Editors.

Remove sharing limits

Here's a PowerShell script that removes the canvas app sharing limits.

# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>

# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'limitSharingMode' -Value "noLimit" -Force
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'maxLimitUserSharing' -Value "-1" -Force

# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration

To remove sharing limits for solution-aware cloud flows, run the following script.

# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>

# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'solutionCloudFlows-limitSharingMode' -Value "noLimit" -Force

# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration

To remove limits on sharing your agent with security groups or individuals as Viewers, run the following script.

# Retrieve the environment
$environment = Get-AdminPowerAppEnvironment -EnvironmentName <EnvironmentId>

# Update the Managed Environment settings
$governanceConfiguration = $environment.Internal.properties.governanceConfiguration
$governanceConfiguration.settings.extendedSettings | Add-Member -MemberType NoteProperty -Name 'bot-limitSharingMode' -Value "noLimit" -Force

# Save the updated Managed Environment settings
Set-AdminPowerAppEnvironmentGovernanceConfiguration -EnvironmentName <EnvironmentId> -UpdatedGovernanceConfiguration $governanceConfiguration

Surface your organization’s governance error content

If you specify governance, error message content to appear in error messages, it's included in the error message displayed to users. Learn more in PowerShell governance error message content commands.

Managed Environments overview
Enable Managed Environments
Usage insights
Data policies
Licensing
View license consumption (preview)
Tenant settings