Add FAQ documentation for Microsoft Graph security and network controls

[Copilot]

Enterprise customer asked for authoritative guidance on MS Graph authentication context, source IP behavior, and security controls for CoE deployments in regulated environments.

New Documentation

CenterofExcellenceResources/FAQ-MicrosoftGraphSecurity.md:

• Authentication context: CoE flows use delegated permissions via Power Platform connectors, not direct service principal auth. Entra ID app registration is for setup wizard validation only.
• Source IP behavior: Power Platform uses dynamic, shared infrastructure IPs. Static IPs unavailable. IP-based Graph restrictions not feasible.
• Recommended controls: Dedicated service accounts, Conditional Access policies, least-privilege Graph permissions, audit logging, regular access reviews.

Includes architecture diagrams, flow-by-flow Graph API usage reference, and comparison table for standard flows vs custom service principal approaches.

Updated

docs/README.md: Added reference to new FAQ alongside existing admin documentation.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CoE Starter Kit - Question] restrict CoE Toolkit access MS Graph access by source IP</issue_title>
<issue_description>### Does this bug already exist in our backlog?

• I have checked and confirm this is a new bug.

Describe the issue

We’re deploying the Power Platform CoE Starter Kit in a regulated enterprise and need authoritative clarification on Microsoft Graph usage and network/source IP behavior to meet security requirements.

refer steps "Create a Microsoft Entra app registration to connect to Microsoft Graph" as https://learn.microsoft.com/en-us/power-platform/guidance/coe/setup-core-components#set-up-the-coe-admin-command-center-app

Microsoft Support (TrackingID#2602050040000578) advised that while Entra ID can restrict Graph access by source IP, the blocker is identifying the actual source IP when requests originate from Power Platform/CoE, and that these CoE-specific questions are best answered by the GitHub CoE Toolkit owners.

Questions:

1. Are Graph calls executed under the registered Entra ID app/service principal or a Power Platform service context?
2. What is the source IP behavior for these Graph calls (any official outbound IPs/service tags to allowlist)?
3. If IP restriction isn’t supported, what are the recommended supported controls (e.g., Conditional Access for workload identities / least-privilege guidance) without breaking CoE

Thanks in advance—this will determine our security design for CoE rollout

Expected Behavior

No response

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.50.6

What app or flow are you having the issue with?

Center of Excellence - Core Components

What method are you using to get inventory and telemetry?

None

Steps To Reproduce

No response

Anything else?

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [CoE Starter Kit - Question] restrict CoE Toolkit access MS Graph access by source IP #10860

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.