Add Microsoft Graph security FAQ for regulated enterprise deployments

[Copilot]

Users deploying CoE Starter Kit in regulated enterprises need authoritative guidance on Microsoft Graph authentication architecture, source IP behavior, and security controls when IP-based restrictions aren't viable.

What's Added

New Documentation: CenterofExcellenceResources/FAQ-MicrosoftGraphSecurity.md

Authentication Architecture Clarification

• Graph calls use service principal (app registration) with Client Credentials Flow, not Power Platform service context
• Direct API calls via HTTP with Azure AD connector using ActiveDirectoryOAuth authentication
• Application permissions (not delegated) - requires admin consent
• Documents specific flows: CommandCenterAppGetM365ServiceMessages, HELPER-MakerCheck, AdminAuditLogsSyncAuditLogsV2

Source IP Behavior

• Source IPs originate from shared Power Platform connector infrastructure
• Dynamic, regional, non-tenant-specific - no published service tags or stable ranges
• IP-based allowlisting and Conditional Access location policies are not supported

Security Controls for Regulated Environments

Ten comprehensive controls replacing IP restrictions:

1. Conditional Access for Workload Identities - Block high-risk service principal sign-ins
2. Least Privilege API Permissions - Permission audit guide and minimum required scopes
3. Certificate-Based Authentication - Stronger than client secrets
4. Secret Rotation - 90-day maximum lifetime, Azure Key Vault integration
5. Monitoring & Alerting - Service principal sign-in logs, anomaly detection
6. Dedicated Service Principals - Per-component isolation to reduce blast radius
7. Regular Access Reviews - Quarterly governance checklist
8. Network Segmentation - DLP policies for CoE environment
9. Resource-Based Policies - Scope restrictions where available
10. Data Residency Controls - Compliance mapping and transit considerations

Additional Content

• Architecture diagram: Power Automate → Entra ID (service principal) → Microsoft Graph
• Security baseline (Required/Recommended/Optional tiers)
• Incident response guide for compromised credentials
• Escalation talking points for compliance teams requiring IP restrictions
• Links to Conditional Access for workload identities, Graph API permissions, Zero Trust docs

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[CoE Starter Kit - Question] restrict CoE Toolkit access MS Graph access by source IP</issue_title>
<issue_description>### Does this bug already exist in our backlog?

• I have checked and confirm this is a new bug.

Describe the issue

We’re deploying the Power Platform CoE Starter Kit in a regulated enterprise and need authoritative clarification on Microsoft Graph usage and network/source IP behavior to meet security requirements.

refer steps "Create a Microsoft Entra app registration to connect to Microsoft Graph" as https://learn.microsoft.com/en-us/power-platform/guidance/coe/setup-core-components#set-up-the-coe-admin-command-center-app

Microsoft Support (TrackingID#2602050040000578) advised that while Entra ID can restrict Graph access by source IP, the blocker is identifying the actual source IP when requests originate from Power Platform/CoE, and that these CoE-specific questions are best answered by the GitHub CoE Toolkit owners.

Questions:

1. Are Graph calls executed under the registered Entra ID app/service principal or a Power Platform service context?
2. What is the source IP behavior for these Graph calls (any official outbound IPs/service tags to allowlist)?
3. If IP restriction isn’t supported, what are the recommended supported controls (e.g., Conditional Access for workload identities / least-privilege guidance) without breaking CoE

Thanks in advance—this will determine our security design for CoE rollout

Expected Behavior

No response

What solution are you experiencing the issue with?

Core

What solution version are you using?

4.50.6

What app or flow are you having the issue with?

Center of Excellence - Core Components

What method are you using to get inventory and telemetry?

None

Steps To Reproduce

No response

Anything else?

No response</issue_description>

<agent_instructions>Analyze the question why We’re deploying the Power Platform CoE Starter Kit in a regulated enterprise and need authoritative clarification on Microsoft Graph usage and network/source IP behavior to meet security requirements and troubleshoot the solution and provide the solution for this question.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes [CoE Starter Kit - Question] restrict CoE Toolkit access MS Graph access by source IP #10860

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.